-
Notifications
You must be signed in to change notification settings - Fork 559
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RCE vulnerability #113
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Problem Description
Jupiter utilizes the Hessian protocol as a component of its RPC communication. However, this protocol presents security risks, as attackers can achieve Remote Code Execution (RCE) attacks by meticulously crafting serialized data.
Reproduce
Provider Side
We employed the built-in module "jupiter-example" of the project to set up the test environment for the attack. The JDK version used is 8u65.
The Malicious LDAP Server
POC
The code for sending client requests.
Utilizing the code from the org.jupiter.example.non.annotation.JupiterClient.java example, modify the transmitted data to be carefully designed serialized data (Line 67).
Attack Impact
Capable of executing an RCE attack, in this attack test, it is demonstrated through the launch of the calculator application.
The text was updated successfully, but these errors were encountered: