{"id":4058,"date":"2016-01-28T02:12:37","date_gmt":"2016-01-27T18:12:37","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=4058"},"modified":"2016-01-28T02:12:58","modified_gmt":"2016-01-27T18:12:58","slug":"paypal-remote-code-execution-vulnerability-patched","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2016\/01\/paypal-remote-code-execution-vulnerability-patched\/","title":{"rendered":"PayPal Remote Code Execution Vulnerability Patched"},"content":{"rendered":"<p>So this is a big one, and thankfully this PayPal Remote Code Execution Vulnerability was discovered by security researchers and not the bad guys. Although there&#8217;s no way for us to know if someone has been using this to siphon data out of PayPal for some time before the whitehats found it.<\/p>\n<p align=\"center\"><img decoding=\"async\" src=\"https:\/\/c2.staticflickr.com\/2\/1654\/24623975126_481e3b4878.jpg\" alt=\"PayPal Remote Code Execution Vulnerability Patched\" \/><\/p>\n<p>It&#8217;s a roundabout bug that turns out serious, and why I tell developers don&#8217;t mess with serialised data &#8211; it&#8217;s ugly. In this case object deserialisation in Java basically allowed for remote command execution on PayPal servers.<\/p>\n<blockquote><p>Independent security researcher Michael Stepankin has reported a since-patched remote code execution hole in Paypal that could have allowed attackers to hijack production systems.<\/p>\n<p>The critical vulnerability affecting manager.paypal.com revealed overnight was reported 13 December and patched soon after disclosure.<\/p>\n<p>It allowed Stepankin to execute arbitrary shell commands on PayPal web servers through Java object deserialisation opening access to production databases.<\/p>\n<p>&#8220;I immediately reported this bug to PayPal security team and it was quickly fixed after that,&#8221; Stepankin says<\/p>\n<p>&#8220;While security testing of manager.paypal.com, my attention was attracted by unusual post form parameter \u201coldFormData\u201d that looks like a complex object after base64 decoding.<\/p><\/blockquote>\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3033787195489589\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<!-- Darknet Responsive Post Ad Links [previously link ad unit] -->\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-client=\"ca-pub-3033787195489589\"\r\n     data-ad-slot=\"5456620019\"\r\n     data-ad-format=\"auto\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script>\n<p>It was reported responsibly and fixed fairly quickly, PayPal does have quite a good record of reacting in a timely fashion.<\/p>\n<p>You can read the original blog post here: <a href=\"http:\/\/artsploit.blogspot.com.au\/2016\/01\/paypal-rce.html\">PayPal Remote Code Execution Vulnerability <\/a><\/p>\n<blockquote><p>&#8220;After some research I realised that it\u2019s a Java serialised object without any signature handled by the application [which] means that you can send serialised object of any existing class to a server and &#8216;readObject&#8217; or &#8216;readResolve&#8217; method of that class will be called.&#8221;<\/p>\n<p>Attackers would need to follow the technique disclosed by FoxGlove Security to gain remote code execution.<\/p>\n<p>Stepankin says he used their &#8216;ysoserial&#8217; payload generation tool in his attack.<\/p>\n<p>PayPal handed out US$5000 for the bug even though it was a duplicate of a report sent in two days prior by researcher Mark Litchfield. Most bug bounty operators do not pay for duplicates making the payment unusual.<\/p><\/blockquote>\n<p>Strangely enough it seems to like two researchers found the same bug within days of each other independently. So PayPal paid them both a bounty, which is very rare &#8211; and pretty cool IMHO.<\/p>\n<p>You can read about what Mark Litchfield got upto in December here &#8211; <a href=\"https:\/\/www.linkedin.com\/pulse\/my-50k-personal-challenge-results-mark-litchfield\">My $50k Personal Challenge &#8211; Results<\/a><\/p>\n<p>Pretty good earnings for a months work, although I might imagine he&#8217;s had a fair number of those bugs in pocket for a while.<\/p>\n<p>Source: <a href=\"http:\/\/www.theregister.co.uk\/2016\/01\/27\/paypal_patches_deadly_server_remote_code_execution_flaw_pays_5k\/\">The Register<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>So this is a big one, and thankfully this PayPal Remote Code Execution Vulnerability was discovered by security researchers and not the bad guys. Although there&#8217;s no way for us to know if someone has been using this to siphon data out of PayPal for some time before the whitehats found it. It&#8217;s a roundabout [&hellip;]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"So this is a big one, and thankfully this PayPal Remote Code Execution Vulnerability was discovered by security researchers and not the bad guys.","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[10,15],"tags":[1213,3026,5145],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4058"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=4058"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4058\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=4058"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=4058"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=4058"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}