Vulnerability description

The Spring framework provides a comprehensive programming and configuration model for modern java based enterprise applications (on any type of deployment platform).

The apply method of the RoutingFunction class in the Spring Cloud Function of the service framework in Spring Cloud processes the "spring. Cloud. Function. Routing expression" parameter in the request header as a Spel expression, causing Spel expression injection, which allows attackers to execute arbitrary code.

Utilization conditions

3.0.0.RELEASE <= Spring Cloud Function <= 3.2.2

Environment construction

Create a new Spring boot project on the official website( https://start.spring.io/ )Start with idea.

Modify POM XML configuration file

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.6.5</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.example</groupId>
<artifactId>demo</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>demo</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>17</java.version>
<spring-cloud.version>2021.0.1</spring-cloud.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-function-context</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-task</artifactId>
</dependency>

<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>

<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-function-webflux</artifactId>
</dependency>

<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-function-dependencies</artifactId>
<version>3.2.2</version>
<type>pom</type>
</dependency>

<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-function-web</artifactId>
<version>3.2.2</version>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>

<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>

</project>

Last visit http://127.0.0.1:8080. The following page indicates success.

[1 > all resources acquisition < 1]
1. Many out of print e-books that can't be bought
2. Training materials inside the safety factory
3. Complete kit
4. 100 src source code technical documents
5. Basic introduction to network security, Linux, web security, attack and defense videos
6. Emergency response notes 7. Network Security Learning Route
8. Analysis of ctf flag competition
9. Introduction notes to WEB security

Loophole recurrence

Vulnerability principle

The apply method parses the Spel expression in the http header, resulting in Spel expression injection.

View official diff

Enter the springframework/cloud/function/context/config/RoutingFunction file. Enter debug mode and add breakpoints to the apply() method.

After entering the apply() method, it will call route(). In this method, it will judge whether the input is an instance of message and whether the function is empty, and then enter else if to get the header information and get the key value spring cloud. function. Routing expression. Judge whether there are spaces in the middle. Then continue down.

You will enter the springframework/cloud/function/context/config/RoutingFunction/functionFromExpression() method.

routingExpression will be passed as a parameter into the spring framework / expression / common / templateawareexpressionparser / parseexpression() method.

Judge whether its context is none before entering

springframework/expression/spel/standard/SpelExpressionParser/doPareExpression() will create a new InternalSpelExpressionParser class and call doPareExpression() to follow up.

In the springframeworl/expression/spel/stand/InternalSpelExpressionParser/doParseExpression() method, the tokenizer In process (), judge the source code and bytecode of token and continue to go down.

A new SpelExpression() will follow up

springframwork/expression/spel/standard/SpelExpression/SpelExpression().

In the SpelExpression() method, the expression is assigned to this Expression continue to follow up return to springframework / expression / spel / standard / spexpressionparser / doparseexpression(), return to springframework / expression / common / templateawareexpressionparser / pareexpression(), return
springframework/cloud/function/context/config/RoutingFunction/functionFromExpression()

In the functionFromExpression() method, messageutils. Is entered toCaseInsensitiveHeadersStructure().

Call MessageStructureWithCaseInsensitiveHeaderKeys() and enter the putAll() method to get the header information in the message.

Finally, it will enter the vulnerability trigger point.

Vulnerability testing

The construction of Payload can refer to the official test case.

This time, we use to create a file test. Use payload touch / TMP / XXXXXX test. test.