[web security] Spring Data Commons 1.13.10 SpEL vulnerability analysis

1. Introduction

Spring Data is an open source framework for simplifying database access and supporting cloud services. Spring Data Commons is the basic framework shared by all sub-projects under Spring Data. In Spring Data Commons 2.0.5 and earlier versions, there is a SpEL expression injection vulnerability. Attackers can inject malicious SpEL expressions to execute arbitrary commands. The vulnerability number is CVE-2018-1273.

​ This vulnerability occurs in the attribute automatic binding stage. When the user uses the relevant Web features of Spring Data to automatically match the user's input parameters in the project, the key value of the Form submitted by the user is used as the execution content of SpEL. , using this feature, sending a payload may lead to remote code execution.

2. The affected version

• Spring Data Commons 1.13 to 1.13.10 (Ingalls SR10)
• Spring Data REST 2.6 to 2.6.10 (Ingalls SR10)
• Spring Data Commons 2.0 to 2.0.5 (Kay SR5)
• Spring Data REST 3.0 to 3.0.5 (Kay SR5)
• Older unsupported versions are also affected

3. Environment Construction

The Spring Data Commons test version used is 1.13.10

The construction effect is as follows:

Fourth, the vulnerability recurrence

[→Follow me for all resources, and reply to "data" by private message to get ←]
1. Network security learning route
2. E-books (white hat)
3. Internal video of a big security company4,
100 src documents5
, common security interview questions6
, Analysis of the classic topics of the ctf competition
7, a full set of toolkits
8, emergency response notes

1. Send form form (including key-value) with Post request
2. Include Payload in the name of the key
3. The submitted key name has been implemented in the Controller with getName()
4. Add a SPEL code snippet after the key.

example：name[T(java.lang.Runtime).getRuntime().exec(“calc”)]

The vulnerability reproduction effect is shown in the following figure:

V. Vulnerability Principle

​ Find the vulnerable code segment, locate spring-data-commons-1.13.10.RELEASE.jar!org.springframework.data.web.ProxyingHandlerMethodArgumentResolver.class#createAttribute(), the program error passes the user input to the MapDataBinder.bind method.

Malicious data is brought in, and the effect is shown in the following figure:

When the user uses the [] nested attribute syntax, the program parses the SPEL expression in [] and obtains the attribute (characteristic), so the attacker can inject malicious SpEL expression to execute arbitrary commands.

​ Feature: Filter the passing grades by certain rules and construct another set syntax: "(list|map).? [select expression]" The result of the selection expression must be of type boolean, if true, the selected element will be added to a new collection, false will not be added to the new collection.

Parse the SPEL expression, and the effect is shown in the following figure:

6. POC structure

​ In actual combat, the Fuzz field is required, look for the automatic attribute field. In the experiment, the Controller code Account.name has used the Spring default constructor property String getName(). Therefore, name is selected as the injection parameter.

Using the [] nested attribute syntax, the program parses the SPEL expression in [] and gets the attribute, so the POC tries name[T(java.util.Arrays).toString(T(java.nio.file.Files).list( T(java.nio.file.Paths).get('d:\i4Tools7')).toArray())]

​ However, the Response page reports an error and there is no echo point, so this kind of file reading POC cannot verify the existence of the vulnerability and cannot verify that the code is successfully executed.

​ Try to use DNSLOG to verify that the execution is successful, so the POC is adjusted to, as shown in the burp diagram.

Verify that DNSLOG is out of the network, the effect is as shown in the following figure:

Seven, repair method

​ Set org.springframework.boot in pom.xml to version 1.13.11 or later.

The patch replaces StandardEvaluationContext with SimpleEvaluationContext.

Because SimpleEvaluationContext does not include Java type references, constructors and bean references, it is more secure.

Patch repair, the effect is as shown below:

8. Summary

​ In auditing, you can use keywords to speed up progress, such as org.springframework.expression.spel.standard, expression.getValue(), expression.setValue(), StandardEvaluationContext.

​ SPEL expressions are more flexible, which can be well adapted to the "often changing" part of the business, which can be "business rules" or "different data processing logic". SpEL's T{} expressions are flexible With the characteristics of reflection, it is more convenient to not need additional packages in the Spring environment. Common SPEL implementations of resource injection include: calling various resources, including common files, URLs, configuration files, system environment variables, and using pre-defined templates to obtain or set the attribute value of the specified attribute name in an object.

​ Developers who use Spel technology in their projects usually have a higher programming level. It is precisely this kind of clever application that makes the vulnerabilities more concealed and it is difficult to achieve consistent repairs. Security personnel need to be patient enough to find and check the completion of the repairs.