PayPal patched critical remote code execution flaw four days after hacker reported it

It only took PayPal four days to patch a critical remote code execution vulnerability with a Common Vulnerability Scoring System (CVSS) count of 9.3. The flaw, in the Java Debug Wire Protocol (JDWP) in PayPal’s marketing online service web-server, allowed “remote attackers to execute system specific code against a target system to compromise the webserver.”

JDWP, a component of the Java Platform Debugger Architecture, is the “protocol used for communication between a debugger and the Java virtual machine (VM) which it debugs,” explained independent security researcher Milan A. Solanki. “JDWP does not use any authentication and could be abused by an attacker to execute arbitrary code on the affected server.”

Hacking JDWP was previously covered by IOActive, which also has jdwp-shellifier – an exploitation script – on GitHub. Researcher Christophe Alladoum looked at “JDWP from a pentester/attacker perspective,” explaining that it uses neither authentication nor encryption, and how “when such a service is exposed to a hostile network, or is Internet facing, things could go wrong.” He added, “Not only does JDWP allow you to access and invoke objects already residing in memory, it also allows you to create or overwrite data.”

Alladoum explained, “When faced with an open JDWP service, arbitrary command execution is exactly five steps away (or with this exploit, only one command line away).” In other words, “open JDWP service means reliable RCE” (remote code execution).

Solanki used the jdwp-shellifier tool. After scanning PayPal’s marketing site, he opened port 8000; he was able to establish a connection without any authentication and execute server-side codes with root privileges.

Solanki provided a proof-of-concept video showing how the “remote code execution web vulnerability can be exploited by remote attackers without privileged application user account or user interaction.”

For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the security vulnerability …

1. Scan the site with the jdwp-shellifier tool.

2. Open port 8000 and connect to the service without auth.

3. Execute own server-side commands as root user.

4. Successful reproduce of the vulnerability!

He notified PayPal Security and Bug Bounty team on April 6; the vulnerability was patched by April 9. It was publicly disclosed by Vulnerability Laboratory on April 28.

On his personal site, Solanki included another POC video and discussed finding a cross-site scripting (XSS) on PayPal.

He said the PayPal Bug Bounty Program paid him $750.