-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2020-023 Product: MQ Java client library Manufacturer: IBM Tested Version(s): 9.1.0.5 Vulnerability Type: Deserialization of Untrusted Data (CWE-502) Risk Level: High Solution Status: Open Manufacturer Notification: 2020-06-15 Solution Date: 2021-01-27 Public Disclosure: 2021-02-19 CVE Reference: CVE-2020-4682 Author of Advisory: Moritz Bechler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: MQ is IBM's message bus service. This issue affects the Java client library provided separately (e.g., via Maven [4]). The manufacturer describes the product as follows (see [1]): "IBM MQ offers proven, enterprise-grade messaging capabilities that skillfully and safely move information between applications" The MQ Java client library contains an optional network service that performs unsafe Java deserialization. Depending on the user application, this may result in remote code execution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The class com.ibm.msg.client.commonservices.j2se.commandmanager.NetworkCommandServer implements a network service which will listen on TCP port 2014 on all interfaces by default. This service is not running by default, and in fact no evidence could be found that it is started intentionally by the library. However, static initialization of the class com.ibm.msg.client.commonservices.commandmanager.CommandManager is sufficient to start the service. If the user application exposes functionality that permits this initialization, e.g. calling Class.forName() on user inputs, an attacker may be able to start this service. The network service then reads requests from the network and in com.ibm.msg.client.commonservices.commandmanager.Command#unFlatten(byte[]) deserializes an object from the input data using Java's built-in serialization mechanism. There are no countermeasures against deserialization attacks in place. If the application code therefore contains one of many libraries with exploitable deserialization gadgets, remote code execution can be achieved. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following victim application includes com.ibm.mq.allclient as well as a library containing an exploitable RCE deserialization gadget, for example Commons BeanUtils: public class MQTest { public static void main(String[] args) throws Exception { Class.forName("com.ibm.msg.client.commonservices."+ "commandmanager.CommandManager"); System.in.read(); } } Using the ysoserial[5] payload generator and encoding the generated serialized payload with the custom header expected by the network service, an exploit was developed. When sending the generated request to the listener, it will try to restore a command object, however, instead it invokes the deserialization gadget, causing command execution in the context of the listener process. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Upgrade to the fixed library versions stated in the vendor security bulletin [7]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-05-04: Vulnerability discovered 2020-06-15: IBM contacted for direct security contact 2020-07-28: Response that reports are only accepted via HackerOne 2020-07-30: Reported to IBM through HackerOne 2021-01-27: Patch released by manufacturer 2020-02-19: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Website for MQ https://www.ibm.com/products/mq [2] SySS Security Advisory SYSS-2020-023 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-023.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] MQ Client Library https://search.maven.org/artifact/com.ibm.mq/com.ibm.mq.allclient/9.1.5.0/jar [5] Ysoserial payload generator https://github.com/frohoff/ysoserial/ [6] Java Platform, Serialization Filtering https://docs.oracle.com/javase/10/core/serialization-filtering1.htm [7] IBM Security Bulletin 6408626 https://www.ibm.com/support/pages/node/6408626 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Bechler of SySS GmbH. E-Mail: moritz.bechler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc Key ID: 0x768EFE2BB3E53DDA Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEELI/xAZ13veZGXszCdo7+K7PlPdoFAmAvu5MACgkQdo7+K7Pl PdpcAgf/VcBMKToNHi49mhAGccBGCOONNLcaQwdZFhrM9rwKzWBOjZxuDVjEAXFn CXe6X3/KWiyBv7/W0r+3uLfrk9VO9oZnR034/6tdDbGiVTiMdxIEt8w6cOZp+fNa tD7jl3O2qKAgBzRqTJmeDpMNk5USzi9EMH14wNog3ViqwZipyahTsOGVQznWoacu 3BfijaI5ta3vviWn+PQmCAPM9bvRVsrOXo5w1ILMfVF5k9Yq/iIM8jj5Kjf/WhPl x7qButdORHLAL3ZXznYIEIdiaSOMRy5PcJ+aIetHltt4tm06wiiMbGT8Ip3UUbhY Lc3A/Q/KdIOA9rQH2CafZM9pv+sCgQ== =LwFQ -----END PGP SIGNATURE-----