Summary

A user with privileges to edit FreeMarker or Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running Liferay.

Note: The follwing sandbox escape techniques have been tested on Liferay Portal WebContent templates and Liferay Portal Dynamic Data List Display templates, but it should work on other FreeMarker/Velocity templates used across all Liferay products (eg: DXP, Commerce, etc.)

Product

Liferay Portal CE

Tested Version

Liferay Portal CE, version 7.3 GA1

Details

Server-Side Template Injection (FreeMarker)

Even though Liferay does a good job extending the FreeMarker sandbox with a custom ObjectWrapper (com.liferay.portal.template.freemarker.internal.RestrictedLiferayObjectWrapper.java) which enhances which objects can be accessed from a Template, and also disables insecure defaults such as the ?new built-in to prevent instantiation of arbitrary classes, it stills exposes a number of objects through the Templating API that can be used to circumvent the sandbox and achieve remote code execution.

Deep inspection of the exposed objects’ object graph allows an attacker to get access to objects that allow them to instantiate arbitrary Java objects.

Server-Side Template Injection (Velocity)

Liferay also uses Velocity templates for Dynamic Data Lists Display. We can use similar vectors on Velocity templates.

Impact

This issue may lead to Remote Code Execution.

CVE

CVE-2020-13445

Coordinated Disclosure Timeline

This report was subject to the GHSL coordinated disclosure policy.

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Munoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2020-043 in any communication regarding this issue.