The uploaded malicious plug-in is parsed and the command is executed

[afeng2016-s]

Vulnerability information

PerfreeBlog implements the extension plug-in function based on SpringBoot and pf4j. After the plug-in is developed, it is packaged as a jar package, which can be directly installed and used online through the plug-in management of PerfreeBlog background. If an attacker develops a plug-in and inserts malicious code, uploading the malicious plug-in after the malicious code is parsed can trigger command execution.

affected version

<= v3.1.2

vulnerability analysis

1. Download the latest PerfreeBlog running package and decompress it.
   After the directory is decompressed, run start.bat
   

2, Access the Web service, initialize the database and administrator account.

3. Make a plug-in with malicious code.
   Plug-in development refer to: https://perfree.gitee.io/plugin-develop/create.html.
   The malicious code is as follows: the calculator pops up when admin/plugin/access/list is accessed.
   

4. Upload the plug-in and run.
   

5. access the admin/plugin/access/list interface and execute the malicious code successfully.
   

[attritionorg]

"it is packaged as a jar package, which can be directly installed and used online through the plug-in management of PerfreeBlog background"

So how is this a vulnerability? It requires admin access to then use intended functionality. It's a trusted interface, so if an admin wants to run arbitrary code, there is likely other ways to do that which are intended as well, no?