fcba_zzm ics-park Smart Park Management System Remote Code Execution Vulnerability via Scheduled Tasks

A remote code execution vulnerability has been identified in fcba_zzm ics-park Smart Park Management System version 2.0. The issue arises in the Scheduled Task Module, specifically within the JobController.java file. The vulnerability allows code injection by accepting user-supplied method references without proper validation. This flaw can be exploited remotely, leading to the execution of arbitrary code on the affected server.

Impact

Exploitation of this vulnerability allows for remote execution of arbitrary code on the server, potentially leading to a complete compromise of the system. This could include manipulation or destruction of business data and logic, exposure of sensitive information, unauthorized privilege escalation, and lateral movement within the internal network.

Reproduction

To reproduce this vulnerability, an administrator must create or update a scheduled task through the application's API. The request should include a malicious payload in the 'invokeTarget' field, specifying an arbitrary method that can be exploited, such as one from the Yaml library that loads a malicious script.

Remediation

It is recommended to implement input validation and sanitization when managing scheduled tasks, restrict execution to a whitelist of safe methods, and update to the latest secure version of RuoYi where this issue has been addressed.