O2OA NodeAgent Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in O2OA versions through 10.0. The issue arises from improper authorization in the NodeAgent component, specifically within the syncFile function of NodeAgent.java. This vulnerability allows unauthenticated attackers to exploit a weak authentication mechanism, leading to unauthorized command execution on the server.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server, with the executed commands running under the O2OA service account. This could lead to a full compromise of the application server, including the installation of persistent backdoors, theft of sensitive configuration and database credentials, tampering with application binaries, and destruction of data.

Reproduction

The vulnerability can be reproduced by sending an unauthenticated request to the NodeAgent public key endpoint, using the returned key to forge a credential that bypasses authentication, and then exploiting the syncFile command to overwrite a startup script with a payload that executes a command on the server. After the script is executed, the command's success can be verified by checking for a created file that confirms the command was run.

Remediation

To address this vulnerability, replace the current NodeAgent trust model with a proper authentication mechanism that binds requests to server-side secrets or cryptographic signatures. Additionally, restrict NodeAgent exposure to trusted networks, constrain the syncFile command to safe paths, and remove or limit remote execution of commands that could run overwritten files.