Apache Shiro Deserialization RCE
Description
Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
By default, Shiro uses the CookieRememberMeManager. This serialized, encrypts and encodes the users' identity for later retrieval. Therefore, when it receives a request from an unauthenticated user, it looks for their remembered identity by doing the following:
- Retrieve the value of the rememberMe cookie
- Base 64 decode
- Decrypt using AES
- Deserialize using java serialization(objectInputStream).
However, the default encryption key is hardcoded, meaning anyone with access to the source code knows what the default encryption key is, So, an attacker can create a malicious object, serialize it, encode it, then send it as a cookie. Shiro will then decode and deserialize, meaning that your malicious object is now live on the server. With careful construction of the objects, they can be made to run some malicious code(see link above for more detail).
Note: Hard coding(also hard-coding or hardcoding) is the software development practice of embedding data directly into the source code of a program or other executable object instead of obtaining the data from external sources or generating it at runtime. Hard-coded data typically can only be modified by editing the source and recompiling the executable. However, it can be changed in memory or on disk using a debugger or hex editor.
