Shulou(Shulou.com)05/31 Report--

How to carry out Spring Data Commons RCE analysis, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Spring Data is an open source framework for simplifying database access and supporting cloud services. Its main goal is to make database access easy and fast. Spring Data Commons is the basic framework shared by all sub-projects under Spring Data. The core of Spring is control inversion (IoC) and aspect-oriented (AOP). Compared with Struts 2 framework, most security vulnerabilities in Struts 2 framework are caused by OGNL, and since Spring introduced SpEL, it has also caused many security vulnerabilities. Today, we use Spring Data Commons (CVE-2018-1273) as a case to talk to you.

01 vulnerability description

Spring Data Commons (versions 1.13 to 1.13.10, 2.0 to 2.0.5, and older unsupported versions) contains attribute binder vulnerabilities due to incorrect neutralization of special elements. An unauthenticated remote malicious user (or attacker) can provide specially crafted request parameters for Spring Data REST-supported HTTP resources, or using Spring Data's projection-based request payload binding cap can lead to remote code execution attacks.

02 source code analysis

The Spring MVC framework will process the request from the front-end page and encapsulate the data according to the request. The request for the front-end page will not be discussed in detail. We will mainly discuss the data encapsulation processing now, because there is a loophole in the Spring Data Commons framework when doing data encapsulation processing. Enter the org.springframework.web.method.support.InvocableHandlerMethod class and enter the getMethodArgumentValues method, as shown in the following figure:

As shown in the red box in the figure above, resolveArgument further processes the request parameters and enters the resolveArgument method of the org.springframework.web.method.support.HandlerMethodArgumentResolverComposite class, as shown in the following figure:

Because the resolveArgument method has no obvious logic, navigate to the resolve.resolveArgument line and enter the resolveArgument method of the org.springframework.web.method.annotation.ModelAttributeMethodProcessor class, as shown in the following figure:

Go to line 132 of the resolveArgument method, as shown in the following figure, which creates an instance object of attribute and implements the specific data binding functionality.

Enter the createAttribute method of the org.springframework.data.web.ProxyingHandlerMethodArgumentResolver class, and the MapDataBinder class is called in the createAttribute method to bind the incoming data.

Navigate to the binder.bind statement to enter the bind method, see the specific logic of the implementation, and enter the bind method of the org.springframework.web.bind.WebDataBinder class, as shown in the following figure:

Because the WebDataBinder class inherits the DataBinder class, the super.doBind statement passes parameters to the doBinder method of the WebDataBinder class and enters the doBinder method of the DataBinder class, as shown in the following figure. In this method, the first two sentences are check statements, and the applyPropertyValues method is the concrete processing logic.

Enter the applyPropertyValues method of the org.springframework.validation.DataBinder class, as shown in the following figure:

As shown in the above figure, continue to the setPropertyValues method of the org.springframework.beans.AbstractPropertyAccessor class, as shown in the following figure:

Navigate to line 97 of the method, as shown in the following figure:

Enter the setPropertyValue method, as shown in the following figure:

Continue to trace the setPropertyValue method that enters the org.springframework.data.web.MapDataBinder class, as shown in the following figure:

Process the parameters in and out of the front end in the serPropertyValue method, and locate line 182 in the setPropertyValue method, as shown in the following figure:

Line 182 uses Spring's SpEL expression to process external parameters, but does not validate the parameters, and the line 182 shown is the vulnerability injection point.

03 loophole recurrence

Capture the packets passed to the backend from the front end, as shown in the following figure:

Construct the payload, as shown in the following figure:

The response result is shown in the following figure:

04 summary and repair

This vulnerability occurs in Spring Data Commons. The vulnerability is caused by the input of front-end parameters to the background, and the background framework uses SpEL expressions to deal with unchecked malicious strings, so it is recommended to use IP whitelist to restrict IP, or upgrade the framework to the latest version.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.