Java templating engine Pebble was vulnerable to a bug that could allow attackers to bypass its security mechanisms and conduct command injection attacks against host servers.
Pebble Templates is convenient because of its easy-to-use templating system for web applications, internationalization capabilities, and security features such as auto-escaping and a block-list method access validator that prevents command execution attacks.
However, according to the findings of a security researcher, Pebble’s command execution defense can be bypassed with carefully crafted code and template files.
Bypassing Pebble security
The bypass works when Pebble is used in combination with Spring, a popular Java application framework. Many Spring classes are registered as beans, which enables them to be loaded dynamically at runtime.
Using the Java beans engine, the attacker can load one of the Spring objects that supports class loading.
It then uses the Jackson, a data-parsing library, to read an XML file that contains the specification of a class to instantiate and a function to run. This provides the attacker with a window to run arbitrary code on the server.
In a proof of concept, the researcher used a Pebble template to load an XML file from the web and instantiate a Java class that supports running system commands on the server.
No easy fix yet
The bug report has sparked conversation on GitHub. Since the vulnerability has been assigned a CVE, it is triggering security alerts in corporate systems that depend on the current version of Pebble.
The developers are working on a fix, but since it is a community-driven project, it is not clear when it will be released. The maintainers have provided a few workarounds to secure projects in the meantime.
It is worth noting that to exploit the bug, an attacker would need to have a way to upload a malicious Pebble template on the server. Therefore, one defense measure would be to harden security checks on user-provided content and restrict template uploads.
The Daily Swig has reached out to the maintainers of Pebble and will update this post if and when we hear back.
Source: https://portswigger.net/daily-swig/java-template-framework-pebble-vulnerable-to-command-injection
