[GROOVY-9582] Code execution - Groovy - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 3.0.4
Fix Version/s: None
Component/s: Groovy Console
Labels:
- security

Description

I am not sure if this working as intended but,

While reviewing the source code (https://github.com/apache/groovy/blob/49ee146850d866513aa84bc49bf22e06687484d5/src/bin/startGroovy.bat#L95) I found that groovy.bat looks for java.exe from current working directory (CWD).

In my opinion, groovy.bat looks for java.exe from the current working directory (CWD), so an attacker could place a crafted java.exe files to execute arbitrary command. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file to trigger this remotely.

This can also be exploited when groovy.bat is run via SMB shares were a malicious threat actor could store pre-build java.exe hidden the successful attack could lead to remote code execution.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Dhiraj M

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 04/Jun/20 18:15

Updated:: 05/Jun/20 07:19