Antabot White-Jotter Deserialization Vulnerability in Shiro Configuration Allowing Remote Code Execution

A critical deserialization vulnerability has been identified in Antabot White-Jotter version 0.22. This issue arises in the 'CookieRememberMeManager' function within the 'ShiroConfiguration.java' file, part of the 'com.gm.wj.config.ShiroConfiguration' component. The vulnerability is triggered by manipulating the input 'EVANNIGHTLY_WAOU', which, when Base64-encoded, becomes 'RVZBTk5JR0hUTFlfV0FPVQ=='. This crafted input can be exploited using the CommonsBeanutils (CB) gadget chain, leading to remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Antabot White-Jotter is running.

Reproduction

To reproduce this vulnerability, send a request to the application with the 'EVANNIGHTLY_WAOU' string included. Ensure that the Shiro key is hardcoded in the 'com.gm.wj.config.ShiroConfiguration' class. The input will be Base64-encoded and processed by the application, triggering the deserialization vulnerability. This can be done manually or with an automated tool, such as 'ShiroAttack2', available on GitHub.

Remediation

It is recommended to dynamically generate the Shiro key at runtime to prevent brute-force attacks.