Pig-Mesh Remote Code Execution Vulnerability in Quartz Management

A remote code execution vulnerability exists in Pig-Mesh versions through 3.8.2. This issue arises in the Quartz management function within the system management module, where scheduled tasks can be configured to execute any Java class with a parameterless constructor. The vulnerability exploits reflection to invoke methods of these classes that accept String parameters. Notably, the eval method of Tomcat's built-in jakarta.el.ELProcessor class can be leveraged to execute commands, leading to arbitrary code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Pig-Mesh is deployed.

Reproduction

To reproduce this vulnerability, first deploy Pig-Mesh version 3.8.2 or earlier on a server with Tomcat 10.1.31. After logging into the application, navigate to the Quartz management function under the system management module. Create a new scheduled task and set it to execute a Java class with a parameterless constructor, using a method that accepts String parameters. Once the task is created, execute it immediately. The malicious code execution can be confirmed by checking a DNSLog platform for the executed payload.