Yonyou UFIDA NC BeanShell Code Injection Vulnerability Allowing Remote Command Execution
Vulnerability
A code injection vulnerability has been identified in Yonyou UFIDA NC versions through 6.5. The issue arises from the BeanShell testing servlet, which is exposed without proper access controls, allowing unauthenticated remote attackers to execute arbitrary Java code. This vulnerability can be exploited to run system commands, potentially leading to full control over the target server. The problem originates from a third-party JAR component bundled with the application, and the vulnerable servlet is accessible without authentication on affected installations.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed code running in the context of the application, potentially leading to full system access.
Reproduction
To reproduce this vulnerability, access the BeanShell Test Servlet page at 'http://<target>/servlet/~ic/bsh.servlet.BshServlet' without authentication. Once on the page, the 'bsh.script' parameter can be used to execute commands. For example, entering 'exec("whoami");' will successfully execute the command and return the result.
Remediation
Yonyou has provided a patch for this vulnerability. The patch can be downloaded from the Yonyou UMC Patch Query website.