Java Pebble model framework vulnerable to command injection



Ben Dickson September 26, 2022 at 13:06 UTC

Updated: September 26, 2022 14:37 UTC

The issue has not yet been fixed, but workarounds are available

The Java Pebble templating engine was vulnerable to a bug that could allow attackers to bypass its security mechanisms and carry out command injection attacks against host servers.

Pebble Templates is convenient due to its easy-to-use template system for web applications, internationalization capabilities, and security features such as auto-escaping and a blocklist method access validator which prevents command execution attacks.

However, according to the results from a security researcher, Pebble’s command execution defense can be circumvented with carefully crafted code and template files.

Pebble Security Bypass

The workaround works when Pebble is used in combination with Spring, a popular Java application framework. Many Spring classes are registered as beans, allowing them to be dynamically loaded at runtime.

Using the Java bean engine, the attacker can load any of the Spring objects that support class loading.

It then uses Jackson, a data analysis library, to read an XML file containing the specification of a class to instantiate and a function to execute. This provides the attacker with a window to execute arbitrary code on the server.

In a proof of concept, the researcher used a Pebble template to load an XML file from the web and instantiate a Java class that supports running system commands on the server.

No easy solution yet

The bug report has conversation triggered on GitHub. Since the vulnerability was assigned a CVEit triggers security alerts in enterprise systems that depend on the current version of Pebble.

The developers are working on a fix, but since it’s a community project, it’s unclear when it will be released. The maintainers have provided some workarounds to secure the projects in the meantime.

It should be noted that to exploit the bug, an attacker would need to have a way to upload a malicious Pebble model to the server. Therefore, a defensive measure would be to tighten security controls on user-provided content and restrict template downloads.

The daily sip has contacted Pebble officials and will update this post if and when we receive a response.

RECOMMENDED Netlify vulnerable to XSS, SSRF attacks via cache poisoning

Source link


Comments are closed.