JeecBoot Reflection RCE: Unauthenticated Rule Modification Leads to Arbitrary Code Execution

# Vulnerability Summary: jeecboot_JeecBoot Insecure Reflection Leads to Remote Code Execution ## Vulnerability Overview In the `jeecboot_JeecBoot` system, the `FillRuleUtil` component has a **second-order remote code execution (RCE)** vulnerability. - **Root Cause**: The `/sys/fillRule/edit` endpoint lacks role-based authorization and input validation, allowing any authenticated user to modify existing fill rules and store malicious class names in the database. - **Trigger Mechanism**: When an administrator or user creates a department via `/sys/sysDepart/add`, the system retrieves this malicious rule and instantiates the malicious class using `Class.forName().newInstance()`, resulting in arbitrary code execution. ## Impact Scope - **Affected Versions**: `<= v3.9.1` - **Affected Components**: - `SysFillRuleController.java` (L96-100) - `SysDepartController.java` (L213-230) - `SysDepartServiceImpl.java` (L187-227) - `FillRuleUtil.java` (L30-84) - **Entry Points**: - Injection Point: `POST /sys/fillRule/edit` - Trigger Point: `POST /sys/sysDepart/add` ## Remediation Plan - **Authorization Check**: Add `@RequiresPermissions` check in the `edit` method of `SysFillRuleController.java` to restrict access to fill rule editing. - **Input Validation**: Enforce strict whitelist validation on the `ruleClass` field to prevent users from entering arbitrary class names. ## POC Code **Malicious Payload (Phase 1: Infection)** ```json { "id": "existing_fill_rule_id", "ruleCode": "org_num_role", "ruleClass": "org.apache.commons.collections3.functors.InvokerTransformer", "ruleParams": "{\"methodValue\": \"invoke\", \"args\": [\"calc.exe\"]}" } ``` **Exploit Code (Phase 3: Detonation)** ```java // Line 36-38: Query sys_fill_rule table QueryWrapper queryWrapper = new QueryWrapper(); queryWrapper.eq("rule_code", ruleCode); // "org_num_role" JSONObject entity = JSON.parseObject(JSON.toJSONStringImpl.getOne(queryWrapper)); // Line 44: Extract ruleClass from database (now attacker-controlled) String ruleClass = entity.getString("ruleClass"); // Line 77: UNSAFE REFLECTION - RCE HERE IFillRuleHandler ruleHandler = (IFillRuleHandler) Class.forName(ruleClass).newInstance(); return ruleHandler.execute(params, formData); ```

Goal Reached Thanks to every supporter — we hit 100%!

JeecBoot Reflection RCE: Unauthenticated Rule Modification Leads to Arbitrary Code Execution

More from this source