Exploit Found In PayPal Servers To Get Full Control Of Its Infrastructure Remotely

Exploit Found In PayPal Servers To Get Full Control Of Its Infrastructure Remotely.

Michael "Artsploit" Stepankin, who is a security researcher, has discovered a critical security flaw a Well-Known Java Deserialization Bug in PayPal's servers that enable him to execute malicious code on PayPal's servers by which he have a full control of PayPal's infrastructure.

This bug has been around for over a year, but only this past autumn came to the forefront of the infosec community. The problem relies on the way developers handle user-supplied serialized data in Java, and can be found in different open source Java libraries.

Developers handle user-supplied serialized data in Java in which problem relies on that can be found in different open source Java libraries.

Java insecure coding exposed PayPal’s servers

The Apache Commons Collections Java library can easily exploit this vulnerability which needed by the automatically generates malicious code which published by Michael "Artsploit" Stepankin.

For the purpose of creating a malicious Java serialized object Mr. Stepankin used this, and he discovered that PayPal's devs failed to connect when he fed into one of the forms present in the PayPal Manager Web interface.

“I realized that it’s a Java serialized object without any signature, and it’s handled by the application,” said Mr. Stepankin in a blog post. “It means that you can send to server serialized object of any existing class and “readObject” (or “readResolve”) method of that class will be called.”

Researcher downloaded files from PayPal’s infrastructure

The first malicious Java payload the researcher sent to PayPal’s servers was only a simple test that told the PayPal server to make simple DNS and HTTP requests to his own server.

After finding evidence in his Nginx log that PayPal’s servers were silently pinging him, Mr. Stepankin created a second exploit, much more intrusive. This second exploit contained shell commands that took the server’s “/etc/passwd” file and sent it to his server.

Mr. Stepankin contacted PayPal to inform them of his discovery when he see that his exploit worked once again. But before him another security researcher already told PayPal of a similar issue in its PayPal Manager interface, the company thanked the researcher for his finding and rewarded him a cash reward for his work.

As in mid-December, Mr. Stepankin reports, that the issue has reported to PayPaland and as of now it is fixed. PayPal Manager is a premier online business and service management portal that’s usually available for big businesses.

For Black Hat, this bug would be of precious worth so if Mr. Stepankin had been a black hat, this bug would have been worth hundreds of thousands of dollars on the black market and would have helped attackers steal millions from PayPal’s business customers.

POC Video: