Java templating engine Pebble was vulnerable to a bug that could allow attackers to bypass its security mechanisms and conduct command injection attacks against host servers.
Pebble Templates is convenient because of its easy-to-use templating system for web applications, internationalization capabilities, and security features such as auto-escaping and a block-list method access validator that prevents command execution attacks.
However, according to the findings of a security researcher, Pebble’s command execution defense can be bypassed with carefully crafted code and template files.
Bypassing Pebble security
The bypass works when Pebble is used in combination with Spring, a popular Java application framework. Many Spring classes are registered as beans, which enables them to be loaded dynamically at runtime.
Using the Java beans engine, the attacker can load one of the Spring objects that supports class loading.
It then uses the Jackson, a data-parsing library, to read an XML file that contains the specification of a class to instantiate and a function to run. This provides the attacker with a window to run arbitrary code on the server.
In a proof of concept, the researcher used a Pebble template to load an XML file from the web and instantiate a Java class that supports running system commands on the server.
