CVE-2022-41923 PoC — Grails 安全漏洞

Source

Associated Vulnerability

Readme

# Workaround for CVE-2022-41923: Privilege Management Vulnerability

## Summary 

The vulnerability [CVE-2022-41923](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41923)
found in the unpatched Grails Spring Security Core (GSSC) plugin can result in
[improper privilege management](https://cwe.mitre.org/data/definitions/269.html).
This repository describes how to work around the issue.

If you are using an unpatched version of the plugin, we recommend highly that you upgrade to a patched version.
If you are unable to upgrade immediately, we encourage you to implement the workaround described in this document.
_This is especially important if you are using GSSC plugin version 2.x, as no patch is available for version 2.x._

## Preparation

In order to correctly configure the workaround, you need to know:

* The version of the GSSC plugin your application employs. Look for the version number in your `build.gradle` file.
  (For Grails 2.x, look in the `BuildConfig.groovy` file).

* What security configuration type you are using: that is, the configuration value for
  `grails.plugin.springsecurity.securityConfigType` 
 
| Config Value           | Documentation Reference                                                                                            |
|------------------------|--------------------------------------------------------------------------------------------------------------------|
| `Annotation` (default) | [Secured Annotations](https://grails.github.io/grails-spring-security-core/latest/index.html#securedAnnotations)   |
| `InterceptUrlMap`      | [Static Map](https://grails.github.io/grails-spring-security-core/latest/index.html#configGroovyMap)               |
| `Requestmap`           | [Requestmap Instances](https://grails.github.io/grails-spring-security-core/latest/index.html#requestmapInstances) |

Note: In all the instructions and configuration below, the `demo` package is used.
Change this package appropriately for your application and the location you place the patched source files.

## Workaround for GSSC Plugin (versions 3.x - 5.x)

Determine the workaround class you need based on your security configuration type.

| Config Value      | Workaround Class                                   |
|-------------------|----------------------------------------------------|
| `Annotation`      | `PatchedAnnotationFilterInvocationDefinition`      |
| `InterceptUrlMap` | `PatchedInterceptUrlMapFilterInvocationDefinition` |
| `Requestmap`      | `PatchedRequestmapFilterInvocationDefinition`      |

Copy the corresponding source file into your `src/main/groovy` source tree.

Finally, add the following configuration to your `application.groovy` config file,
replacing `PatchedAnnotationFilterInvocationDefinition` with the needed workaround class.

```groovy
grails.plugin.springsecurity.objectDefinitionSourceBeanClass = 'demo.PatchedAnnotationFilterInvocationDefinition'
```

## Workaround for GSSC Plugin (version 2.x)

As above, determine the workaround class you need based on your security configuration type.
Copy the corresponding source file into your `src/groovy` source tree.
Then edit your bean configuration based on your application's security configuration type.

#### Security Config Type: Annotation

If using security configuration type `Annotation`, edit the `grails-app/conf/spring/resources.groovy` to include:
```groovy
import demo.PatchedAnnotationFilterInvocationDefinition
import grails.plugin.springsecurity.SpringSecurityUtils

beans = {
    def conf = SpringSecurityUtils.securityConfig
    objectDefinitionSource(demo.PatchedAnnotationFilterInvocationDefinition) {
        application = ref('grailsApplication')
        grailsUrlConverter = ref('grailsUrlConverter')
        responseMimeTypesApi = ref('responseMimeTypesApi')
        boolean lowercase = conf.controllerAnnotations.lowercase
        if (conf.rejectIfNoRule instanceof Boolean) {
            rejectIfNoRule = conf.rejectIfNoRule
        }
    }

    // ... existing bean configuration ...
}
```

#### Security Config Type: Static Map

If using security configuration type `InterceptUrlMap`, edit the `grails-app/conf/spring/resources.groovy` to include:
```groovy
import demo.PatchedInterceptUrlMapFilterInvocationDefinition
import grails.plugin.springsecurity.SpringSecurityUtils

beans = {
    def conf = SpringSecurityUtils.securityConfig
    objectDefinitionSource(demo.PatchedInterceptUrlMapFilterInvocationDefinition) {
        if (conf.rejectIfNoRule instanceof Boolean) {
            rejectIfNoRule = conf.rejectIfNoRule
        }
    }

    // ... existing bean configuration ...
}
```

#### Security Config Type: Requestmap Instances

If using security configuration type `Requestmap`, edit the `grails-app/conf/spring/resources.groovy` to include:
```groovy
import demo.PatchedRequestmapFilterInvocationDefinition
import grails.plugin.springsecurity.SpringSecurityUtils

beans = {
    def conf = SpringSecurityUtils.securityConfig
    objectDefinitionSource(demo.PatchedRequestmapFilterInvocationDefinition) {
        if (conf.rejectIfNoRule instanceof Boolean) {
            rejectIfNoRule = conf.rejectIfNoRule
        }
    }

    // ... existing bean configuration ...
}
```

## More Information

For additional information on this vulnerability, please see the
[Grails blog post](https://grails.org/blog/2022-11-22-ss-plugin-auth-cve.html).

Discussion and questions can be directed to this Grails Spring Security Core plugin
[issue on GitHub](https://github.com/grails/grails-spring-security-core/issues/844).

File Snapshot

 [4.0K]  /data/pocs/b005cd07fd56c78686766ea47f98de6094e46b61
├── [ 847]  PatchedAnnotationFilterInvocationDefinition.groovy
├── [ 862]  PatchedInterceptUrlMapFilterInvocationDefinition.groovy
├── [ 847]  PatchedRequestmapFilterInvocationDefinition.groovy
└── [5.5K]  README.md

0 directories, 4 files

Remarks