[SHIRO-721] RememberMe Padding Oracle Vulnerability - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Resolved
Affects Version/s: 1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.3.2, 1.4.0-RC2, 1.4.0, 1.4.1
Fix Version/s: 1.4.2
Component/s: RememberMe
Labels:

Flags:

Important

Description

The cookie rememberMe is encrypted by AES-128-CBC mode, and this can be vulnerable to padding oracle attacks. Attackers can use a vaild rememberMe cookie as the prefix for the Padding Oracle Attack,then make a crafted rememberMe to perform the java deserilization attack like ~~SHIRO-550~~.

Steps to reproduce this issue:

Login in the website and get the rememberMe from the cookie.
Use the rememberMe cookie as the prefix for Padding Oracle Attack.
Encrypt a ysoserial's serialization payload to make a crafted rememberMe via Padding Oracle Attack.
Request the website with the new rememberMe cookie, to perform the deserialization attack.

The attacker doesn't need to know the cipher key of the rememberMe encryption.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: loopx9

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 08/Sep/19 04:17

Updated:: 20/Nov/19 09:52

Resolved:: 18/Nov/19 20:34

Time Tracking

Estimated:

504h

Remaining:

504h

Logged:

Not Specified