AutohomeCorp Frostmourne Remote Code Execution Vulnerability via Nashorn JavaScript Engine

A remote code execution vulnerability has been identified in AutohomeCorp Frostmourne versions prior to 1.0. This issue arises in the alarm expression evaluation system, where authenticated administrative users can inject arbitrary JavaScript code through the alarm configuration interface. The injected code is executed by the Oracle Nashorn JavaScript engine without any validation, leading to complete server compromise. The vulnerability is present in the 'ExpressionRule.java' file, specifically within the 'scriptEngine.eval' function, where the 'EXPRESSION' argument can be manipulated to execute malicious code.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed code running in the context of the application server process. This could lead to a complete compromise of the server.

Reproduction

To reproduce this vulnerability, an authenticated administrative user must send a POST request to the '/save' endpoint with a crafted JavaScript payload in the 'EXPRESSION' field. Once the alarm rule is saved, the vulnerability can be exploited by triggering the alarm evaluation, which executes the injected JavaScript code via the Nashorn engine.

Remediation

It is recommended to disable the expression evaluation feature or restrict it to read-only operations. Implementing strict validation of allowable expression syntax before storage or execution is crucial. If script execution is necessary, consider using a proper sandbox with Java SecurityManager or a dedicated scripting language that has restricted capabilities.