SpagoBI remote code execution vulnerability analysis requires authentication permissions-bug warning-the black bar safety net

ID MYHACK58:62201672492
Type myhack58
Reporter 佚名
Modified 2016-03-12T00:00:00


Today we publish the second article—SpagoBI remote code execution vulnerability. In this article, I want to talk about SpagoBI And SpagoBI is a free open source Business Intelligence Suite, which consists of the Engineering Group's SpagoBI Labs( SpagoBI Labs develop and manage, its goal is according to its comprehensive open source strategy,SpagoBI Suite to meet the majority of users, customers, developers, integrators of the demand, the realization of an open community. Next let's look at the SpagoBI Suite yet to fix the vulnerability. The reason I do so is because after more than a year now, the vulnerability information to vendors already by ignoring without any patch update. This proves that when you find a vulnerability, report the vulnerability to the vendor might become extremely hard. Normally, I would not be in the patch update prior to the publication of vulnerability information. But in this case, the vulnerability requires authentication permission before it can use, so use of them is quite difficult. Vulnerability description SpagoBI use the Groovy library in the back-end to complete some of the dynamic business intelligence Suite of operations. From the source code we can see the rear end of the several parts is used to parse the input content. Groovy supports local Java object, so if in these places is not filtered, then it can easily lead to code execution. In fact in the system, and no input filtering, the Groovy library there are several misuse of the function, the attacker can control the input to execute arbitrary code. We by download and install virtual class mirror SpagBI 5.1 to perform the test, and now we navigate to the“SpagoBIQbeEngine” servlet parts of the Java Server-Side. Now login with the minimum permissions of”bidemo”user. ! Then go to”Qbe”function module. ! In the background we can see the request hope to open a process. ! Connected to the client receives the service side in response to the request may be to open the process identifier. ! This identifier is for us very important, because we want to use the success of this vulnerability requires by means of this identifier as a parameter passed to the service end. We need to pass the correct identifier to invoke the vulnerable function: http://localhost:8080/SpagoBIQbeEngine/servlet/AdapterHTTP?ACTION_NAME=Validate_Expression_Action&EXPRESSION=java. lang. Runtime. getRuntime(). exec(‘notepad’)&fields=[{"uniqueName":"test","alias":"test"}]&SBI_EXECUTION_ID=XXX ! Request more information: ! Here, in the return of the response packet to see what are not expressed has been successfully exploited a vulnerability in the service side you can see the Notepad(notepad is already running. !

Summary In this article, I want to say is in the past for more than a year of time in the SpagoBI users have been faced with security risks, control the timeline, and now still faced with the threat. In the past year, I've been waiting for the official fix, because I know this is a bug-fix is not easy, so I think the wait is fair. But the face of the manufacturers indifference, I had to disclose the security vulnerability. Timeline 17/12/2014: to manufacturers to submit include vulnerability details in the first email 22/12/2014: a second e-mail request to confirm the vulnerability 22/12/2014: received vendor of the vulnerability confirmation 22/01/2015: a third e-mail request for vulnerability status feedback 19/02/2015: the fourth e-mail request for vulnerability status feedback 23/02/2015: receive vendor replies will increase the sandbox mechanism 24/02/2015: the fifth letter in the mail warning select sandbox solution did not fix the vulnerability 03/12/2015: the sixth letter in the mail warning the white list exists may result in the service end of arbitrary code execution of the risk function method 03/12/2015: received vendor feedback said they would implement the White List mode and details 07/12/2015: the seventh letter in the mail warning the white list mechanisms exist to service end-write any of the content of the method 09/12/2015: the silent fix any writing problems 08/03/2016: never did not receive the manufacturer's feedback. Now the disclosure of this vulnerability