[shiro] Apache Shiro 1.2.4 deserialization vulnerability (CVE-2016-4437)

Hits: 0

Table of contents

1 What is it?

1.1 [Shiro] Framework

[Apache] Shiro is an open source security framework that provides authentication, authorization, cryptography, and session management. The Shiro framework is intuitive and easy to use, while also providing robust security.

1.2 Shiro-550 [deserialization] vulnerability

  1. Introduction: The encrypted user information is serialized and stored in a cookie named remember-me. An attacker can use Shiro’s default key to forge user cookies, trigger a Java deserialization vulnerability, and execute arbitrary commands on the target machine.
  2. Versions Affected: Apache Shiro 1.2.4 and earlier.

2 Why?

2.1 Working steps

  1. The rememberMe generation process: serialization→AES encryption→Base64 encoding→generate rememberMe content.
  2. When the server receives the cookie value: retrieve the rememberMe content in the cookie → Base64 decryption → AES decryption (encryption key is hard-coded) → deserialization (not processed).

2.1 Vulnerability principle

  1. Apache Shiro uses CookieRememberMeManager by default. The process of processing cookies: get the cookie value of rememberMe → Base64 decoding → AES decryption → deserialization. However, the key of AES is hard-coded, which leads to an RCE vulnerability in which an attacker can construct malicious data to cause deserialization.
  2. Key factor: The AES encryption key is hard-coded in Shiro’s version before 1.2.4: kPH+bIxk5D2deZiIxcaaaA==, as long as the key is found, it can be encoded by constructing a malicious serialized object, encrypted, and then used as The cookie is encrypted and sent, and the server will decrypt it and trigger the deserialization vulnerability after receiving it. After 1.2.4, the ASE key is no longer the default, and it is necessary to obtain the key to infiltrate.

3 How to do it?

3.1 Environment Construction

  1. This tutorial uses vulhub to build a vulnerability environment. For the installation process of vulhub, please refer to ” Deploying Vulhub Shooting Range on CentOS “.
  2. Open a terminal and use the command sudo -ito switch to root.
  3. After finding the vulhub path, use the command
    shiro/CVE-2016-4437to enter the vulnerability path of this experiment.
  4. Use the command to docker-compose up -dstart a web service using Apache Shiro 1.2.4.
  5. Open the browser on centerOS, visit, if the following is displayed, the environment is successfully opened.
  6. Enter the default account and password to try to log in. The account is admin and the password is vulhub. The successful login is displayed as follows.

3.2 How to find out

  1. Vulnerability characteristics: The Shiro deserialization vulnerability has characteristics, and there is a rememberMe=deleteMe field in the Set-Cookie of the returned packet.
  2. Note: Remember to clear the browser cache after each of the following steps to ensure that the browser state is initially blank.
  3. On the login page, there is a selection box for users to choose whether to check RememberMe. When we do not check it, enter the default account password, set the proxy to BurpSuite and click Login.
  4. Use BurpSuite to intercept the request, send it to the repeater module and click send, you can see the response is as follows, the value of rememberMe is deleteMe.
  5. When we check rememberMe, enter the default account password, set the proxy to BurpSuite and click Login.
  6. Use BurpSuite to intercept the request, send it to the repeater module and click send, you can see that there is a rememberMe field in the request, and the value of rememberMe in the response also becomes a large segment.
  7. The above is the case of using the correct account and password to log in, and then try the case of using the wrong account and password and checking rememberMe. In the above request, modify the account password and click send. The value of rememberMe in the response is deleteMe.

3.3 How to use

  1. Press ” shiro deserialization vulnerability comprehensive utilization tool v2.2 (download, install, use) ” to download and start the tool.
  2. Enter the target address, pay attention to fill in the protocol http, and then click the blasting key.
  3. After blasting, you can see that the secret key is successfully blasted out in the check log and filled in the specified secret key.
  4. Click the blasting exploit chain and echo, and you can see that the current exploit chain and echo position are applicable.
  5. Switch the functional area to command execution, enter whoami, and you can see that the obtained permission is root, which proves that remote command execution can be achieved.
  6. Enter cat /etc/passwd, you can view the contents of the file.

3.4 How to defend

  1. Upgrade shiro version.
  2. Modify the key.

4 Summary

  1. This section mainly introduces the principle of shiro deserialization vulnerability and the utilization of tools.
  2. To deepen the understanding of vulnerabilities, you still need to study more about the programs you need to write.


  1. Apache Shiro 1.2.4 Deserialization Vulnerability (CVE-2016-4437) ” CSDN article
  2. Apache Shiro 1.2.4 Deserialization Vulnerability (CVE-2016-4437) ” Vulhub Tutorial
  3. Shiro Deserialization Exploit Notes

Leave a Reply

Your email address will not be published.