Apache Shiro Remote Code Execution Vulnerability via Default Remember Me Cipher Key

A remote code execution vulnerability exists in Apache Shiro versions prior to 1.2.5. When the 'remember me' feature is enabled but no cipher key is configured, remote attackers can exploit this vulnerability by sending a crafted request parameter. This exploitation can lead to arbitrary code execution or bypassing access restrictions.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where Apache Shiro is running.

Reproduction

To reproduce this vulnerability, first ensure that Apache Shiro is running a version prior to 1.2.5 and that the 'remember me' feature is enabled without a custom cipher key. Then, send a request with a specially crafted parameter that takes advantage of the default cipher key used by the 'remember me' feature. This can be done using a tool like Metasploit, which has a module specifically for exploiting this vulnerability.

Remediation

Users are advised to upgrade to Apache Shiro version 1.2.5 or later, configure a secret cipher key for the 'remember me' feature, or disable the 'remember me' feature altogether.