Java deserialization vulnerability in QRadar RemoteJavaScript Servlet

Abstract

A Java deserialization vulnerability exists in the QRadar RemoteJavaScript Servlet. An authenticated user can call one of the vulnerable methods and cause the Servlet to deserialize arbitrary objects.

An attacker can exploit this vulnerability by creating a specially crafted (serialized) object, which amongst other things can result in a denial of service, change of system settings, or execution of arbitrary code.

See also

CVE-2020-4280

6344079 - IBM QRadar SIEM is vulnerable to deserialization of untrusted data

Tested versions

This issue was successfully verified on QRadar Community Edition version 7.3.1.6 (7.3.1 Build 20180723171558).

Fix

IBM has released the following versions of QRader in which this issue has been resolved:

Introduction

QRadar is IBM's enterprise SIEM solution. A free version of QRadar is available that is known as QRadar Community Edition. This version is limited to 50 events per second and 5,000 network flows a minute, supports apps, but is based on a smaller footprint for non-enterprise use.

A Java deserialization vulnerability exists in the QRadar RemoteJavaScript Servlet. This Servlet contains a custom JSON-RPC implementation (based on JSON-RPC version 1.0). Certain methods accept base64 encoded serialized Java objects. No checks have been implemented to prevent deserialization of arbitrary objects. Consequently, an authenticated user can call one of the affected methods and cause the RemoteJavaScript Servlet to deserialize arbitrary objects.

An attacker can exploit this vulnerability by creating a specially crafted (serialized) object, which amongst other things can result in a denial of service, change of system settings, or execution of arbitrary code.

Details

The RemoteJavaScript Servlet is only accessible for authenticated users. It is mapped to the following URLs:

  • /remoteJavaScript
  • /remoteMethod
  • /JSON-RPC
  • /JSON-RPC/*

The JSON data can be passed via the URL query string or as POST data. The JSON data should contain a field named method, which contains the name of the application and the method that needs to be invoked. The requested application is looked up in the Application Registry. Each application has a mapping XML file located under /opt/qradar/conf/appconfig/ named <appname>-exported_methods.xml, which is essentially a list of all (Java) methods that can be called including their associated Java class, access control, and other settings.

When the application is found (and licensed), a call is made to getExportedMethod() to lookup the Java method that needs to be invoked. After some additional checks - like authorization - the Servlet will eventually invoke the call() method of the found Java method. If present, arguments are passed as a String array to the call() method. These arguments are then converted into the correct type using the com.q1labs.core.shared.util.ReflectionUtils.stringsToObjects() method.

com.q1labs.uiframeworks.application.ExportedMethod:

public abstract class ExportedMethod extends AllowableObject {
	
[...]
	
	public Object call(PageContext pageContext, String... passedArguments) throws Exception {
		if (passedArguments != null && passedArguments.length != 0) {
			if (this.log.isDebugEnabled()) {
				this.log.debug("Calling with passed in arguments: " + Arrays.toString(passedArguments));
			}

			return this.call(pageContext, this.stringsToObjects(passedArguments));
	
[...]
	
	private Object[] stringsToObjects(String[] paramaters) throws ExportedMethodException {
		return ReflectionUtils.stringsToObjects(this.getParameterTypes(), paramaters);
	}

The parameter types differ per method and are provided via the getParameterTypes() method. If the parameter type is a 'simple' type, it will be converted without deserialization. However, some methods also accept complex types, which are passed as serialized objects.

com.q1labs.core.shared.util.ReflectionUtils:

public class ReflectionUtils {
	public static Object stringToObject(Class type, String param) throws NoSuchMethodException, InvocationTargetException, InstantiationException, IllegalAccessException {
		long i;
		int i;
		if (type.isPrimitive()) {
			if (type.equals(Integer.TYPE)) {
				if (param == null) {
					param = "0";
				}
	
				i = (new Double(param)).longValue();
				if (i > 2147483647L) {
					i = 0L - (2147483647L - i);
				}
	
				return (int)i;
			} else if (type.equals(Character.TYPE)) {
				return param.charAt(0);
			} else if (type.equals(Double.TYPE)) {
				return new Double(param);
[...]
			} else {
				throw new RuntimeException("Unknown primitive type: " + type.getName());
			}
		} else if (param != null && !param.equalsIgnoreCase("$_NULL_$")) {
			if (type.equals(Short.class)) {
				i = (new Double(param)).intValue();
				if (i > 32767) {
					i = 0 - (32767 - i);
				}
	
				return (short)i;
[...]
			} else {
				return SerializationUtils.deserialize(Base64.decode(param));
			}
[...]
	}
	
	public static Object[] stringsToObjects(Class[] types, String... parameters) throws RuntimeException {
		Pattern arrayMatcher = Pattern.compile("^\\[(.+)\\]$");
		if (parameters != null && parameters.length > 0) {
			Object[] newArgs = new Object[types.length];
	
			for(int i = 0; i < types.length; ++i) {
			try {
				Class type = types[ i ];
				if (!type.isArray()) {
					newArgs[ i ] = stringToObject(type, parameters[ i ]);
[...]

Deserialization of objects is done using the org.apache.commons.lang3.SerializationUtils class. This class doesn't perform any checks on the objects that are deserialized. Since no checks are done in the RemoteJavaScript Servlet it can be abused to deserialize arbitrary objects. An attacker can exploit this vulnerability by creating a specially crafted (serialized) object.

Proof of concept

The JSON-RPC interface already contains a method that allows running of arbitrary commands (as the nobody user). This method is named qradar.executeCommand and can be called by any user, no special privileges are required. However, the method checks if the property console.enableExecuteCommand exists and is set to true. By default this property doesn't exist and thus it is not possible to call this method to run arbitrary commands. By utilizing the deserialization vulnerability it is possible to create this property, after which it is possible to use qradar.executeCommand to run arbitrary commands.

com.q1labs.qradar.ui.qradarservices.UIQRadarServices:

public static Object executeCommand(PageContext pageContext, String command, int timeoutSeconds) throws Exception {
	if (!"true".equalsIgnoreCase(QSystem.getProperty("console.enableExecuteCommand"))) {
		throw new Exception("Cannot execute remote system commands");
	} else {
		File qradarDir = new File(NVAReader.getProperty("NVA", "/opt/qradar"));
		Process proc = Runtime.getRuntime().exec(new String[]{"/bin/sh", "-c", command}, (String[])null, qradarDir);
[...]

One of the methods that can be used to trigger a deserialization operation is the method qradar.validateChangesAssetConfiguration. This method is mapped to the Java method com.q1labs.assetprofilerconfiguration.ui.util.AssetProfilerConfig.validateChangesAssetConfiguration(). The method takes one argument of the type java.util.List.

The proof of concept uses a Jython gadget. The Jython Java library is present in the Servlet's class path and consequently we can deserialize objects found in this library. The ysoserial payload generation tool already contains a gadget that uses the Jython library. ysoserial's payload will first write a Python file to the target system, after which the file is executed. The payload has been modified to directly create the target property (console.enableExecuteCommand) without the need to write a file to disk first. The payload is modified to execute the following Python code (upon deserialization):

eval("__import__('com.q1labs.frameworks.util.QSystem', globals(), locals(), ['setProperty'], 0).setProperty('console.enableExecuteCommand', 'true')")

Vragen of feedback?