Finding A Shell In Your Fishbowl
White Oak Security discovered an instance of Fishbowl Inventory that was vulnerable to a Java deserialization vulnerability, resulting in unauthenticated remote code execution.
This issue has been remediated as of release 2022.4.1.
CVE-2022-29805 has been published for this vulnerability.
Before we dive into the details, we want to give our thanks to the Fishbowl Inventory support and development team for their constant communication providing updates while disclosing this issue. Fishbowl Inventory responded promptly to the original disclosure request and resolved the issue in a timely manner which is a very refreshing and mature response from the organization. From our perspective, Fishbowl Inventory is doing everything right in this regard and we hope other organizations follow their lead.
4/7/22: Attempted to contact Fishbowl Inventory via online support ticket.
4/8/22: Received contact from Fishbowl Inventory. Disclosed vulnerability documentation via the support ticket.
4/12/22: Received confirmation that the vulnerability details have been transferred to the development team.
4/13/22: Development team confirms that the vulnerability is valid and they are working on a solution.
4/25/22: Patch released to the general public with version 2022.4.1.
8/18/22: White Oak Security publicly discloses the finding according to our vulnerability disclosure policy.
Fishbowl Inventory Overview
Fishbowl Inventory is an inventory management system that helps organize product inventory with accounting integrations and other necessary workflows. The application consists of a web server, inventory server, and desktop application to interact with the servers and perform the business logic.
Using Shodan, the Fishbowl Server can be found exposed on the internet on a handful of servers. White Oak Security confirmed that the vulnerable port (28192) was exposed on several hosts, however, White Oak Security did not attempt exploitation against any internet-facing host.
As specified within the support library article below, the Fishbowl Server on port 28192 is exposed during default installations (1). Therefore, it is reasonable to assume that every internet-facing instance of Fishbowl, in its default configuration without additional firewall rules, would have been vulnerable to this exploit.
Fishbowl Vulnerability Analysis
The Fishbowl Server establishes a web server on 80/443 and a TCP Socket Server listening on port 28192 by default. This TCP Socket Server on port 28192 is the vulnerable service. We used Sysinternals TCPView (2) to view the local endpoints.
Analyzing the application installation, the Fishbowl Server Administration program controls the server port, default of 28192.
The Fishbowl Server handles all message processing as a TCP Socket Server. This socket server processes incoming data streams and determines if the data is either JSON or XML. In this vulnerability, we are interested in the XML flow.
Fishbowl Attack Flow
The attack flow can be simplified as the following steps:
- TCP Socket Server parses incoming data streams; validates for JSON or XML data types
- In the XML flow, an XML document is built from the incoming data
- A custom XML parser is created which parses the XML structure, beginning with the root <event> tag
- The custom XML parser extracts data from the <head>, <user>, and <body> children elements.
- Within the <head> XML element parsing flow, the application base64 decodes a <src> child tag and converts the data within that <src> element into an arbitrary object input stream (using the Java readObject() function).
- This directly leads to an exploitable deserialization condition as any arbitrary object can be provided in this element, such as an object which executes remote commands (called a Gadget Chain).
This is a typical Java Deserialization vulnerability and we should be able to use a pre-existing Gadget Chain using ysoserial (3). Additionally, a custom gadget could be created from pre-existing Fishbowl library objects but was unnecessary for exploitation at this time. For additional information about Java Deserialization vulnerabilities and gadget chains, check out the original research by Chris Frohoff.
The libraries within the Fishbowl Inventory application deployment include several references to the Apache Commons collections, which would allow us to use one of the payloads pre-existing in ysoserial (3).
The Socket Server parses XML data and performs a readObject() on various XML element byte streams. To exploit this issue, White Oak Security used ysoserial (3), a Java Deserialization exploitation kit, to generate a payload that will be deserialized by the application server to execute any command on the host. In this example, a simple PowerShell reverse shell is used to connect back to the target server.
The format of the payload is shown below, where the required event, head, and src fields are used. The payload is contained within the source element body.
<?xml version='1.0' encoding='utf-8'?> <event> <head> <src name='xyz'>" + payload + "</src> </head> </event>
Next, a simple Java Socket client was created which connects to the vulnerable server and sends the Java Object as a DataOutputStream. The payload is decoded from XML and then has deserialization performed against many underlying XML child elements. In this example, the ‘src’ element is targeted.
The data is sent to the server and remote code execution is achieved, with a reverse shell (TCP connection) established from the Fishbowl Server to the attacker-controlled host.
More From White Oak Security
White Oak Security is a highly skilled and knowledgeable cyber security testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.
- https://help.fishbowlinventory.com/hc/en-us/articles/360042632634-Fishbowl-Hosted-Services – FIshbowl Inventory Server Ports Documentation
- https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview – Tool for local process analysis
- https://github.com/frohoff/ysoserial – Tool for Java Object Deserialization