Thu. Dec 12th, 2019

[Unpatch] Apache Shiro Padding Oracle remote code execution vulnerability alert

1 min read

Recently, Apache Shiro Padding Oracle reveals remote code execution vulnerability. After we analysis and judgment, it is judged that the level of the vulnerability is serious and the damage surface/wide impact is wide. At present, Apache Shiro does not issue official patches and mitigation solutions.

Apache Shiro is an open-source software security framework that performs authentication, authorization, cryptography and session management. Shiro has been designed to be an intuitive and easy-to-use framework while still providing robust security features.

The rememberMe field encrypted by the AES-128-CBC mode in the Apache Shiro cookie has problems and is vulnerable to Padding Oracle attacks. An attacker can complete an attack by following these steps:

  1. Login in the website and get the rememberMe from the cookie.
  2. Use the rememberMe cookie as the prefix for Padding Oracle Attack.
  3. Encrypt a ysoserial’s serialization payload to make a crafted rememberMe via Padding Oracle Attack.
  4. Request the website with the new rememberMe cookie, to perform the deserialization attack.

The attacker doesn’t need to know the cipher key of the rememberMe encryption.

Affected version

  • Apache Shiro 1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.3.2, 1.4.0-RC2, 1.4.0, 1.4.1.