[R1] Kaa IoT Platform SdkServlet / RecordServlet Java Object Deserialization Remote Code Execution

Kaa? Yeah, it was kind of new to some of us too! From the vendor page:

Kaa is a production-ready, multi-purpose middleware platform for building complete end-to-end IoT solutions, connected applications, and smart products. The Kaa platform jump-starts the development of your IoT product and dramatically reduces associated costs, risks, and time-to-market. Kaa facilitates the data exchange among connected devices, the IoT cloud, data analytics and visualisation systems, and other IoT ecosystem components.

So this is all Internet of Things. All that talk about remotely owning your toaster, refrigerator, or toothbrush may be possible now! They currently advertise Kaa is compatible with Intel, Android, Apple, Microsoft, and many other vendors. Given the wide variety of devices and platforms that may use, or come to use Kaa, this has all the potential to be a virtual joyride.

Exploit Vector

Kaa offers an administrator interface over HTTP on TCP port 8080. This interface requires authentication, but if you are lucky, the default credentials will work (kaa / kaa123). Two of the admin servlets, SdkServlet and RecordServlet, convert base64ed request parameters to Java Objects:

RecordServlet.java:
RecordKey key = (RecordKey) Base64.decodeToObject(recordKeyBase64, Base64.URL_SAFE, null);

SdkServlert.java:
SdkPropertiesDto key = (SdkPropertiesDto)Base64.decodeToObject(sdkKeyBase64, Base64.URL_SAFE, null);

DecodeToObject calls into the package net.iharder.Base64 which strips away the base64 encoding and converts the raw bytes to a Java object via an ObjectOutputStream using readObject().

Apache Commons FileUpload Exploitation

Apache Commons FileUpload contains an object called DiskFileItem, which is normally harmless. However, the object can be modified after it is serialized to behave in ways that were not intended. Specifically we can modify DiskFileItem to:

1. Create a new file anywhere the Java process has permission.
2. Write anything we would like to that new file.
3. We can also move (copy and delete) any file on the remote system that we have permission to.

There are two limitations though:

1. We don’t control the filename. This is generated by DiskFileItem class as upload_$uuid_$counter.tmp.
2. Files are created using the File.createTempFile() interface. That means the lifetime of the file is totally dependent on the usage of deleteOnExit(), how long the JVM runs, and if it is moved after creation (If the move is done by the exploit then it will still be deleted. However, if the move is done by the InvokerTransformer exploit then it will not be deleted). It is our observation that files appear do not appear to get deleted until the server is shutdown.

Spring Framework

Kaa also has the Spring Framework on the classpath. Deserialization attacks using Spring allows the attacker to execute arbitrary commands in the context of Kaa.

Tenable has generated proofs-of-concept that allow for create files with custom content (FileUpload), moving files (FileUpload), and executing arbitrary OS commands (Spring). We shared them and the vendor still didn't opt to fix the issues.