Apache Commons SCXML Remote Code Execution
- What is Apache Commons SCXML?
Here is the Apache offical explanation.
State Chart XML (SCXML) is currently a Working Draft specification published by the World Wide Web Consortium (W3C). SCXML provides a generic state-machine based execution environment based on Harel State Tables. SCXML is a candidate for the control language within multiple markup languages coming out of the W3C (see the latest Working Draft for details). Commons SCXML is an implementation aimed at creating and maintaining a Java SCXML engine capable of executing a state machine defined using a SCXML document, while abstracting out the environment interfaces.
0x02 How to find it
When I audited the source code, I unintentionally found out a sensitive class named
Then I kept on analysing the critical class
SCXMLReader. The class consisted of serveral static methods, one of them named
read, it could load a XML file by the parameter
scxmlPath. However, the method did not verify the legal resource of the XML file, in the other words, it could load a XML file from any untrustworthy resource.
Next, I stepped into the
readInternal method, it tried to resovle the URL of the XML file.
Obviously, it did not restrict the loading resource, and a remote resource can also be initialized.
Then, I stepped into the
getReader method, it tried to load the XML stream as input.
If there is a URL as file path, the input stream will obtain from the URL resource.
The XML stream will be returned finally.
Next, I definitely should utilize some method to handle with the XML stream, here I convinced myself the method called
setStateMachine was what I needed.
Then I stepped into the method. We can see the initialization of the instance.
At last, the instance was intialized and the Java Expression Lauguage in XML file was be executed by
0x03 Proof of Concept
By convention, I eventually demostrate it with the completed PoC.
The screenshot of this illustration.