In datax-web/datax-core/src/main/java/com/wugui/datatx/core/executor/JobExecutor.java
Use the Hessian protocol directly as a serialization method
Because the executor rpc interface has no permission checks by default, the attacker can send the maliciously constructed Hessian serialized data to the rpc interface, leading to command execution. datax-web/datax-rpc/src/main/java/com/wugui/datax/rpc/serialize/impl/HessianSerializer.java
Poc:
Use ysomap to generate the payload by SpringAbstractBeanFactoryPointcutAdvisor.SpringJndiBullet1.
aboutbo
changed the title
[BUG] executor rpc接口默认无权限校验,存在反序列化漏洞
[BUG] datax-web executor rpc interface has no privilege checks by default, which leads to deserialization
Nov 29, 2022
aboutbo
changed the title
[BUG] datax-web executor rpc interface has no privilege checks by default, which leads to deserialization
[BUG] [CVE-2022-46478] datax-web executor rpc interface has no privilege checks by default, which leads to deserialization
May 4, 2023
In


datax-web/datax-core/src/main/java/com/wugui/datatx/core/executor/JobExecutor.javaUse the Hessian protocol directly as a serialization method
Because the executor rpc interface has no permission checks by default, the attacker can send the maliciously constructed Hessian serialized data to the rpc interface, leading to command execution.
datax-web/datax-rpc/src/main/java/com/wugui/datax/rpc/serialize/impl/HessianSerializer.javaPoc:
curl -XPOST --header "Content-Type:application/octet-stream" --data-binary "@payload" http://ip:9999/This issue affects datax-web 2.7.x version 1.0.0, 2.0.0-2.1.2
The text was updated successfully, but these errors were encountered: