JSF ViewState Hack Attempt: java.lang.StringIndexOutOfBoundsException: String index out of range: -1 – com.sun.faces.renderkit.ServerSideStateHelper.getState (ServerSideStateHelper.java:313)

Hack Attempt on JSF ViewState

This article explains why the error java.lang.StringIndexOutOfBoundsException: String index out of range: -1 in the class ServerSideStateHelper in the method getState (313) might be someone trying to hack your application server. It is getting quite technical in here… but bear with me… it’s really interesting. I also break down the actual attack to demonstrate what the attacker was trying to do.

Recently we got more and more log entries with the following stacktrace in our WildFly 10 log file:

I googled around and noone was giving a valid answer to why this could happen.

ViewState

By taking a look at the geState  and getStateParamValue method you can see the following:

So…. in a nutshell what is this code doing?

This code takes a look the the request parameters, takes the one with the name javax.faces.ViewState, tries to find a colon in it and then extracts the part before the colon and after the colon (idInLogicalMap and idInActualMap);

What is this ViewState parameter?

Basically it is a hidden input field automatically embedded in all pages e.g.

2 numbers separated by a colon.

How could this ever have a value without a colon?

Next we took a look at our apache logs:

This is really weird. First of all someone is typing POST requests to one of our pages, one after the other. Secondly the session id appended to the url is the same, but the user agent string is actually different.

The next thing we noticed was, that the error only occurred on pages that were publically accessible without a user having to log in.

This cannot be normal traffic.

So my first assumption was that this must be some kind of bot trying to crawl our page and accidentially putting wrong information into that hidden input field.

So we improved our logging to see the actual value for the javax.faces.ViewState parameter.

Registering a ViewHandler

We added a new ViewHandler to our code like this:

and registered it in the faces-config.xml.

Now it gets interesting…

The Actual Attack

When the error occurred next time, we got invalid ViewSate strings like this one

When I saw this I immediately knew someone was trying to hack us. Strings starting with rO0 are base64 encoded serialized Java objects.

Why should serialized Java Objects be deserialized there?

Turns out there is an option to store the ViewState object on the client side instead of storing it on server side (hopefully rarely used). If you manage to put the correct serialized Java objects into this variable and the objects are deserialized, this can lead to arbitrary remote code execution (RCE). This ViewState vulnerability is already well-known.

The good news is that if your getting the StringIndexOutOfBoundsException error you are also very likely storing your ViewState on the server and are not vulnerable to this security flaw.

Now the fun part… What did the attacker try to achieve?

Base64 decoded string:

The only thing in there that is interesting is the part:

Download some „image“ and execute it. The image actually contains some executable bash instructions :)

This one downloads the next “image” (logo.jpg):

Again we can see that some “kworker” is downloaded and started afterwards.

I downloaded the kworker file and took a look at it. It’s actually a program called “minerd”.

What does this do?? It is a program for mining BitCoins 😊

By downloading the kworker.conf file, we also could get the BitCoin user id of the hacker :)

Summary:

By taking a very close look at the StringIndexOutOfBoundException, we actually figured out, that someone was trying to hack into our system. I have not seen any article so far, that links this Exception to a hacking attempt being made to an application server.

The attacker is probably randomly hacking any server that has this vulnerability in order to do BitCoin mining to earn some money :P

Figuring out the root cause of this Exception actually took quite some time, but was really interesting in the end. I hope this article will save you some time.

If you have any questions or comments, feel free to ask or leave a comment below.

Share on FacebookShare on LinkedInShare on Google+Tweet about this on Twitter

One thought on “JSF ViewState Hack Attempt: java.lang.StringIndexOutOfBoundsException: String index out of range: -1 – com.sun.faces.renderkit.ServerSideStateHelper.getState (ServerSideStateHelper.java:313)

  1. Loksly

    Hi everyone!

    I just want to say that we have been attacked by exactly the same method.
    As far as I can confirm it had no success.
    The IP network the attacker used started was like 5.x.x.11

    Thanks for this post, it really helped me a lot to realize what it was trying to do.

    have a nice day

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *