PayPal Servers Compromised via Well-Known Java Deserialization Bug

Share this…

PayPal addresses issue after security researcher broke into their servers and took data files just to prove his point.

Michael “Artsploit” Stepankin, an independent security researcher, has discovered a critical security flaw in PayPal’s Manager interface that allowed him to execute malicious code on PayPal’s servers, an issue which would have enabled him to take full control of PayPal’s infrastructure.

The bug is an exploitation of the Java deserialization issue that’s been around for over a year, but only this past autumn came to the forefront of the infosec community.

The problem relies on the way developers handle user-supplied serialized data in Java, and can be found in different open source Java libraries.

Java insecure coding practice exposed PayPal’s servers

The researchers that discovered this flaw also published a tool that automatically generates the malicious code needed to exploit this vulnerability via the Apache Commons Collections Java library.

Mr. Stepankin used this tool to create a malicious Java serialized object, which he then fed into one of the forms present in the PayPal Manager Web interface, which he discovered that PayPal’s devs failed to protect.

“I realized that it’s a Java serialized object without any signature and it’s handled by the application,” said Mr. Stepankin yesterday in a blog post. “It means that you can send to server serialized object of any existing class and “readObject” (or “readResolve”) method of that class will be called.”

Researcher downloaded files from PayPal’s infrastructure

The first malicious Java payload the researcher sent to PayPal’s servers was only a simple test that told the PayPal server to make simple DNS and HTTP requests to his own server.

After finding evidence in his Nginx log that PayPal’s servers were silently pinging him, Mr. Stepankin created a second exploit, much more intrusive. This second exploit contained shell commands that took the server’s “/etc/passwd” file and sent it to his server.

Seeing that his exploit worked once again, Mr. Stepankin contacted PayPal and informed them of his discovery. In spite of the fact that another security researcher already told PayPal of a similar issue in its PayPal Manager interface, the company thanked the researcher for his finding and rewarded him a $5,000 cash reward for his work.

Researcher lauds PayPal’s security measures

Softpedia contacted Mr. Stepankin via email, and inquired him on how easy was to find the vulnerability in PayPal’s service.

“It was comparatively easy to find and exploit this particular vulnerability. In spite of that, only in the last years security researches have found a way to exploit Java deserialization issues and a lot of Java developers are still not aware about that,” Mr. Stepankin told Softpedia. “But I have to admit that overall protection of PayPal applications is quite high and, in general, it’s not really easy to find even low impact vulnerabilities within PayPal’s bug bounty scope.”

Regarding the presence of other Java deserialization issues in PayPal’s applications, the researcher told Softpedia the following: “I’ve seen a couple of other PayPal applications which use Java serialization, but It was hard to exploit them or company has already implemented some fixes to mitigate that issues. At the same time, I’m pretty sure we will see a lot of serialization vulnerabilities in different JAVA applications (not only in PayPal) and frameworks in the following years.”

As Mr. Stepankin revealed, the issue was reported to PayPal in mid-December and is now fixed.

PayPal Manager is a premier online business and service management portal that’s usually available for big businesses. If Mr. Stepankin had been a black hat, this bug would have been worth hundreds of thousands of dollars on the black market and would have helped attackers steal millions from PayPal’s business customers.

Below is a proof-of-concept video.