CVE-2016-8919 – IBM WebSphere deserialization of untrusted data

IBM WebSphere deserialization of untrusted data:

http://lab.mediaservice.net/advisory/2016-03-websphere.txt

Security Advisory 					@ Mediaservice.net Srl
(#01, 06/09/2016)		 	  		Data Security Division
 
         Title:	IBM WebSphere deserialization of untrusted data 
   Application:	IBM WebSphere 7,8,8.5,9
   Description:	The application server deserializes unstrusted data received
                by its SOAP Connector. This can lead to a DoS via resource
                exhaustion and potentially remote code execution.
        Author: Federico Dotta <federico.dotta@mediaservice.net>
                Maurizio Agazzini <inode@mediaservice.net>
 Vendor Status: Fixed (PI73519)
 CVE Candidate: The Common Vulnerabilities and Exposures project has assigned
                the name CVE-2016-8919 to this issue. 
    References: http://lab.mediaservice.net/advisory/2016-03-websphere.txt
                http://lab.mediaservice.net/code/websphere_soap.py

1. Abstract.

IBM WebSphere SOAP Connector is a TCP service running on port 8880/TCP. It
communicates using SOAP messages that contain serialized Java objects.

The server deserializes these objects without checking the object type. This
behavior can be exploited to cause a denial of service and potentially execute 
arbitrary code.

This vulnerability was already reported to IBM (see CVE-2015-7450), but the 
released fix swg21970575 is incorrect: it removes one exploitation vector 
without fixing the root cause of the issue.

The objects that can cause the DoS are based on known disclosed payloads
taken from:

- https://gist.github.com/coekie/a27cc406fc9f3dc7a70d

Currently there is no known chain that allows code execution on IBM WebSphere,
however new chains are discovered every day.

2. Example Attack Session.

A Proof of Concept has been written to send a request that will cause 100%
CPU usage for an unknown amount of time. 

Code: http://lab.mediaservice.net/code/websphere_soap.py

3. Affected Platforms.

This vulnerability affects the following versions and releases of
WebSphere Application Server traditional and WebSphere Application
Server Hypervisor edition and priors versions:

 - 9.0.0.3
 - 8.5.5.11
 - 8.0.0.12
 - 7.0.0.41

4. Fix.

Apply Interim Fix PI73519
http://www-01.ibm.com/support/docview.wss?uid=swg21993797

5. Proof Of Concept.

See websphere_soap.py and Example Attack Session above.

6. Timeline

06/09/2016 - First communication sent to IBM PSIRT (psirt at us.ibm.com)
07/09/2016 - IBM Response, PSIRT Advisory 6528 assigned to the bug
23/11/2016 - IBM requesto to postpone discovery until January
17/01/2017 - Communication from IBM with fix information (PI73519)
06/02/2017 - Advisory released

Copyright (c) 2017 @ Mediaservice.net Srl. All rights reserved.