RichFaces Downloads. It is highly recommended to use the latest stable releases as each release contains many bug fixes, features, and updates. Enhance your JSF web applications using powerful AJAX components Build a new RichFaces JSF project in minutes using JBoss RichFaces with JBoss Seam . JBoss RichFaces [Demetrio Filocamo] on *FREE* shipping on qualifying offers. This is a practical tutorial following the use of RichFaces in a.
|Published (Last):||14 May 2014|
|PDF File Size:||3.5 Mb|
|ePub File Size:||15.6 Mb|
|Price:||Free* [*Free Regsitration Required]|
Code White discovered two new vulnerabilities which bypass the implemented mitigations. Thereby, all RichFaces versions including the latest 3. While there are only two major JSF implementations i.
RichFaces has three major version branches: The latest releases of the respective branches are 3. Both vulnerabilities rely on the feature to generate images, video, sounds, and other resources on the fly based on data provided in the request. The provided data is either interpreted as a plain array of bytes or as a Java serialized object stream. This vulnerability is a straight forward Java deserialization vulnerability.
When a RichFaces 3. That method then decodes and decompresses the data in a similar way and finally deserializes it without any further validation. This can be exploited with ysoserial using a suitable gadget. The arbitrary Java deserialization was patched in RichFaces 3.
The RichFaces issue RF corresponding to this vulnerability is public and actually quite detailed. This includes the contentProducer field, which is expected to be a MethodExpression object.
Now the problem with that is that the EL expression can be changed, even just with basic Linux utilities. There is no protection in place that would prevent one from tampering with it. Depending on the EL implementation, this allows arbitrary code execution, as demonstrated by the reporter:.
However, exploitation of this vulnerability is not always that easy. Especially if there is no existing sample of a valid do state richfacrs that can be tampered with. Because if one would want to create the state object, it would require the use of compatible libraries, otherwise the deserialization may fail.
Moreover, the EL implementation does not allow arbitrary expressions with parameterized invocations in method expressions as this has only just been added in EL 2.
Tutorials for WildFly Application Server, Openshift, JBoss Projects and Enterprise Applications
EL exploitation is quite an interesting topic in itself. The patch for this issue introduced in RichFaces 4. This jvoss prevent the invocation of methods with parameters like loadClass “java. The kind of the past vulnerabilities led to the assumption that there may be a way to bypass the mitigations. And after some research, two ways were found to gain remote code execution in a similar manner also affecting the latest RichFaces versions 3.
Although the issues RF and RF were discovered in the order of their identifier, we’ll explain them in the opposite order. Also note that the issues are not public but only visible to persons responsible to resolve security issues. While the injection of arbitrary EL expressions richafces possible right from the beginning, there is always a need to get them triggered somehow.
This similarity was found in the org.
When a resource of that type gets requested, its send ResourceContext method gets called. The resource data transmitted in the request must be an org.
This passes the whitelisting as ImageData extends org. SerializableResourcewhich actually was introduced in 3.
RichFaces Documentation – JBoss Community
As the patch to CVE introduced in 4. But if you are fimilar with EL internals, you would know that they can have custom function mappers and variable mappers, which are used by the ELResolver to resolve functions i.
Fortunately, various VariableMapper implementations were added to the whitelist starting with 4. There will be no patches after the end of support. In case of discovering a serious issue you will have to develop a patch yourself or switch to another framework.
The interesting thing about these classes is that tichfaces have a equals Object method, which eventually calls getType ELContext on a EL value expression. And as the value expression has to be evaluated to determine its resulting type, this can be used as a Java deserialization primitive to execute EL value expressions on deserialization.
This is very similar to the Myfaces1 and Myfaces2 gadgets in ysoserial. Unfortunately, this gadget does not work for RichFaces. ValueBinding is not whitelisted. And wrapping it in a StateHolderSaver does not work because the state object is of type Object and therefore the cast to Serializable in StateHolderSaver. It has been shown that all RichFaces versions 3.
As we can’t expect official patches, one way ricgfaces mitigate all these vulnerabilities is to block requests to the concerned URLs:. May 30, Poor RichFaces. Arbitrary Java Deserialization in RichFaces 3. ResourceBuilderImpl allows remote code execution.
MediaOutputResource allows remote code execution. Arbitrary Java Deserialization This vulnerability is a straight forward Java deserialization vulnerability. Depending on the EL implementation, this allows arbitrary code execution, as demonstrated by the reporter: The Uboss The kind of the past vulnerabilities led to the assumption that there may be a way to bypass the mitigations.
Codec does support DES encryption if a password is set. VariableMapperImpl were added in 4. VariableMapperImpl was added in 4. Posted by Markus Wulftange at 3: Tags GadgetVulnerability Details.
Newer Post Older Post Home.