New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There is a critical expression injection RCE vulnerability in this expression engine(该表达式引擎存在表达式注入漏洞) #421
Comments
牛逼 |
Nice discovery |
你有更简单的办法来注入了,既然是全功能的脚本模式,几乎所有的 java api 都可以调用。比如上述注入可以简单修改为: AviatorEvaluatorInstance evaluator = AviatorEvaluator.newInstance();
evaluator.setFunctionMissing(JavaMethodReflectionFunctionMissing.getInstance());
evaluator.execute("exec(Runtime.getRuntime(), 'open /System/Applications/Calculator.app')"); 不建议直接暴露 aviatorscript 脚本执行在公网环境。 |
如果需要控制可以访问的 class 白名单,可以通过 更多安全选项参考 https://www.yuque.com/boyan-avfmj/aviatorscript/ou23gy#elOSu |
比如上述例子,在设置禁止(白名单为空)任何静态字段或者静态方法调用后,将调用失败: AviatorEvaluatorInstance evaluator = AviatorEvaluator.newInstance();
evaluator.setOption(Options.ALLOWED_CLASS_SET, Collections.emptySet());
更多安全选项可以参考 https://www.yuque.com/boyan-avfmj/aviatorscript/ou23gy#elOSu 不过这些选项也仅限我能想到的,可能还存在别的隐患,从我的角度,不推荐直接将脚本的执行(不仅是 aviatorscript 了,几乎任何可运行脚本的开放都应该慎重)开放到任何不可信的环境,如果确实需要,可以参考上述文档设置必要的选项,其次是这样的 API 或者接口都应该做严格的鉴权。 |
AviatorScript is just a script language(engine), and if you export an API or something else to execute a script by users publicly, you must count on yourself to ensure security. But AviatorScript provides some security options https://www.yuque.com/boyan-avfmj/aviatorscript/ou23gy#elOSu. In this case, you can
My suggestion is that please use a script engine in internal and trustable environment, if you can't , you must protected the API or interface by authorization and try to set some security options. Thank you. |
it seems that BCEL injection is not applicable for Aviator
Meanwhile, from
The BCEL only could be reproduced above the version |
@Soontao That's because aviator 4.x and older versions is not a script language but a simple expression evaluator doesn't support new/if/for statements etc. |
Please read the release note and documents. I don't want to reply this thread any more, thank you. |
The new object can be directly entered when entering the aviator expression, but it is not allowed to call non-public static methods. You can use the BCELClassloader to load the BCEL code to complete the RCE.
First prepare a malicious evil.class. Set the public static method exec to execute arbitrary commands.
(输入aviator表达式时可以直接new对象,但是不允许调用非public static的方法。可以使用BCELClassloader加载BCEL编码的形式完成RCE。
首先准备一个恶意的evil.class。设置public static方法exec来执行任意命令。)
Then encode it in BCEL.
(然后将其BCEL编码。)
Prepare the vulnerability environment. Use the latest version of aviatorscript.
(准备漏洞环境。使用最新版的aviatorscript。)
Perform aviator expression injection.
(进行aviator表达式注入。)
The command was executed successfully.
(成功执行命令。)
The text was updated successfully, but these errors were encountered: