Kingdee Cloud-Starry-Sky Enterprise Edition Freemarker Engine Remote Code Execution Vulnerability

A critical remote code execution vulnerability has been identified in Kingdee Cloud-Starry-Sky Enterprise Edition versions 6.x, 7.x, 8.x, and 9.0. The issue arises in the Freemarker Engine component, specifically within the 'plugin.buildMobilePopHtml' function of the 'DynamicForm 4 Action.class' file. This vulnerability is due to improper neutralization of special elements in the template engine, allowing attackers to inject malicious code that is executed on the server. Exploitation of this vulnerability could lead to unauthorized access to sensitive data and control over the affected system, potentially facilitating further intranet penetration attacks.

Impact

Exploitation of this vulnerability allows for remote arbitrary code execution on the server where Kingdee Cloud-Starry-Sky is running. This could lead to unauthorized access to sensitive data and control over the system, with the possibility of conducting in-depth intranet penetration attacks.

Reproduction

The vulnerability can be reproduced by sending a crafted request to the 'plugin.buildMobilePopHtml' function within the Freemarker template engine. This can be done without authentication, as the vulnerability is present in the application's handling of user input in templates.

Remediation

Users are advised to upgrade to a version of Kingdee Cloud-Starry-Sky that includes the patch for this vulnerability. The fixed version is available on the Kingdee Update platform. When applying the patch, ensure that the option to 'allow repeated executions' is selected.