Recently, Apache Shiro Padding Oracle reveals remote code execution vulnerability. After we analysis and judgment, it is judged that the level of the vulnerability is serious and the damage surface/wide impact is wide. At present, Apache Shiro does not issue official patches and mitigation solutions.
Apache Shiro is an open-source software security framework that performs authentication, authorization, cryptography and session management. Shiro has been designed to be an intuitive and easy-to-use framework while still providing robust security features.
The rememberMe field encrypted by the AES-128-CBC mode in the Apache Shiro cookie has problems and is vulnerable to Padding Oracle attacks. An attacker can complete an attack by following these steps:
- Login in the website and get the rememberMe from the cookie.
- Use the rememberMe cookie as the prefix for Padding Oracle Attack.
- Encrypt a ysoserial’s serialization payload to make a crafted rememberMe via Padding Oracle Attack.
- Request the website with the new rememberMe cookie, to perform the deserialization attack.
The attacker doesn’t need to know the cipher key of the rememberMe encryption.
- Apache Shiro 1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.3.2, 1.4.0-RC2, 1.4.0, 1.4.1.