#156 – Apache Tapestry forms and Java Serialization

Hi everybody, today I’m a little bit late but I’ll do a final article about Tapestry. I’ll write about the form system since I spent a little bit of time auditing it.

How does it work?

The framework will send a parameter to add to each form (as a hidden form value), which will act as a verifier of the form validity. To setup that form, Tapestry will serialize Java content which will be signed using a HMAC-SHA1 signature.

The final form of that form verification value is:

[base64(hmac-sha1-signature(key))][':'][base64(gzip(Serialized java message))]

Obviously, after verification of that signature, the message will get read and remote code execution could be possible if that signature can be bypassed.



What it means is that, to avoid getting rce’d, the only thing getting between the attacker and a remote code execution is that key. There is not a static default value but rather, the default value if the key is not set is equal to the package name.

When it is set or if it is not guessable, things gets a little bit more complicated, you could try:

  • A local file read would solve all problems, you’ll just have to get the read from the configurations and voilĂ .
  • Bruteforce, this is an option also due to the usage of sha1 rather than sha256.

Once the key is found, all you’ll have to do, probably is to run ysoserial, gzip the message then get the hmac-sha1 signature to get your RCE.

Leave a Reply

Your email address will not be published.