0x0 background

Spring Cloud Function Is based on Spring Boot Function calculation framework (FaaS), When it enables dynamic routing functionRouter Time ,
HTTP Request header
spring.cloud.function.routing-expression Parameter exists SPEL Expression injection vulnerability , This vulnerability allows an attacker to perform remote command execution . The major affected versions include
3.0.0.RELEASE <= Spring Cloud Function <= 3.2.2

0x1 Local environment construction

A brief understanding FaaS Function delivery mode of , It is very consistent with the microservice architecture under the container security scenario studied before , In the past, most environments were mainly delivered through virtual machines, which gradually evolved into VPS, container ,API Up to now, function is service ; Assets are more fully utilized , To do this locally Jdk1.8 Environment ,IDE Yes IntelliJ
IDEA Build a vulnerability environment ;

First, you need to create a project file , choice Spring
Initalizr; Items need to be configured in advance Java environment , Avoid follow-up build You need it when you need it tools.jar and dt.jar

  Dependency is mainly selected here Function and Spring Web Two key projects

  Related configuration items can be found in pom.xml Modify it , You can see from the project that the dependent component version is 3.2.2 Is a vulnerable version , You can start the project directly , No other modifications are required ;

 0x2 POC Reproduction and analysis

Project needs bulid, after run Direct operation , You can see the output of startup in the control box ; Default startup tomcat Container opening 8080 port

adopt web The browser can be accessed directly , Mainly used here Postman Conduct a contract test ; adopt poc Code interpretation of , The utilization method is relatively simple, which is directly in the request headers Add a header spring.cloud.function.routing-expression parameter ,SpringCloud
Function The parameter content will be directly brought into SPEL Medium query , cause SPEL Vulnerability injection .

web First, it will confirm whether the current request is RoutingFunction, After confirmation, compile the request header and request body we submitted into Message And incoming FunctionInvocationWrapper of apply Method
  Find the corresponding method RoutingFunction.class File content , Locate to the corresponding page 80 Line code out , It can be found that this method mainly Message The content of has been delivered ;

 F7 After follow-up, you can see that malicious content has been Expression expression =
this.spelParser.parseExpression(routingExpression) The execution is carried out, resulting in the risk of expression injection ;

  Due to such attacks, arbitrary commands can be executed remotely , The degree of harm is high. Many developers will attack data directly after building a new project without security awareness ; However, such attacks generally do not echo that the attacker needs to rely on DNSLOG Class or through RCE Proceed to the next step payload function , rebound shell Other operations ;

The attack is also relatively simple to identify from the traffic level , It is more difficult to identify the scene of successful attack ; We can only monitor the subsequent network behavior in combination with the causal correlation of the subsequent context ;

0x3 repair

The impact of this domestic sector is relatively small , at present FasS There is no large-scale use ; The official functions are Spel Expression parsing ability , But none of them specified EvaluationContext, Use default StandardEvaluationContext This leads to command execution . Specific measures can be updated Spring
Cloud Function reach 3.2.3.

©2019-2020 Toolsou All rights reserved,
【C++ Must see for entry 】C++ from 0 reach 1 Introductory programming axios Interceptor packaging and use Spring Boot Interview must ask : Automatic configuration principle VMware 16 install centos 7 Detailed tutorial C Language data structure - Sequence table delete duplicates V2.0.0 The 12th Blue Bridge Cup c++b Group personal problem solving On sending data from serial port single chip microcomputer to upper computer centos7 install RabbitMqjava Polymorphic array of opencv-python Fourier transform and inverse transform