Eclipse Equinox OSGi Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Eclipse Equinox OSGi versions through 3.7.2. This vulnerability allows unauthenticated attackers to execute arbitrary commands by sending payloads to the OSGi console interface. Exploitation involves connecting to the OSGi console port and transmitting base64-encoded bash commands, wrapped in fork directives, to achieve code execution and establish reverse shell connections.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected system, with the executed code running in the context of the user running the OSGi application.

Reproduction

To reproduce this vulnerability, connect to the OSGi console port on a target running version 3.7.2 or earlier. Once connected, send a payload consisting of base64-encoded bash commands wrapped in fork directives. This can be done using a script or tool that automates the process, such as the one available on the Exploit Database.