This repository contains a proof of concept for Remote Code Execution (RCE) against OpenRefine < 3.1-beta. By exploiting a directory traversal vulnerability inside of the Create Project functionality, CVE-2018-19859, a malicious user can upload a custom Java extension to gain code execution.
This proof of concept contains a simple Java Reverse Shell which is activated when a user navigates to {webroot}/extension/whiteoak/.
- Grab a local vulnerable version of OpenRefine such as version 2.8.
- Clone this extension repository into the
openrefine/extensions/directory. - Modify the
build.xmlfile in the extensions directory to add a reference to the new extension. - Compile the extension with
./refine clean && ./refine build - Generate the malicious zip archive using
evilarc_whiteoak.pyto create a zip slip archive of an entire directory. Ensure the webroot path is provided:
python3 evilarc_whiteoak.py -d 14 -p "{webroot directory}/openrefine/webapp/extensions/" whiteoak/- Upload the extension using the vulnerability described in CVE-2018-19859 via the Create Project functionality & restart the OpenRefine webserver.
- Navigate to
{webroot}/extension/whiteoak/and catch your new shell.
@itsacoderepo for the CVE details on GitHub.
@ptoomy3 for the original Zip Slip archive generation tool, which White Oak Security updated to python3 and added support for archiving directories.