Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2016-1000027 PoC — Vmware Spring Framework 代码问题漏洞

Source
https://github.com/artem-smotrakov/cve-2016-1000027-poc
Associated Vulnerability
Title:Vmware Spring Framework 代码问题漏洞 (CVE-2016-1000027)
Description:Vmware Spring Framework是美国威睿(Vmware)公司的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Pivotal Software Spring Framework 4.1.4版本中存在安全漏洞。攻击者可利用该漏洞执行代码。
Description
PoC for CVE-2016-1000027
Readme
# PoC for CVE-2016-1000027

This is a demo Spring Boolt application that is affected by [CVE-2016-1000027](https://nvd.nist.gov/vuln/detail/CVE-2016-1000027).

# Steps to reproduce the vulnerability

1. Start a vulnerable server `com.gypsyengineer.server.Server`.
2. Run `com.gypsyengineer.client.Exploit`.

The [`Exploit`](client/src/main/java/com/gypsyengineer/client/Exploit.java) class reads `payload.bin` and sends it to the vulnerable server.
`payload.bin` contains a payload generated by [ysoserial](https://github.com/frohoff/ysoserial).
The current `payload.bin` is `CommonsCollections5` that runs `gedit`:

```
java -jar target/ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections5 gedit > payload.bin
```

# How to fix an application that is affected by CVE-2016-1000027

The issue has not been fixed in Spring Framework. See https://github.com/spring-projects/spring-framework/issues/24434

Here is what can be done on application side.

1. The best way is to stop using `HttpInvokerServiceExporter` and `RemoteInvocationSerializingExporter` classes.
   They are already deprecated and will likely be remove in next versions of Spring Framework.
2. Do not accept untrusted data in the endpoints that are based on these vulnerable classes.
3. Use serialization filters that were introduced by JEP 290.

# Links

1.  [[R2] Pivotal Spring Framework HttpInvokerServiceExporter readRemoteInvocation Method Untrusted Java Deserialization](https://www.tenable.com/security/research/tra-2016-20)
1.  [OWASP: Deserialization of untrusted data](https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data)
1.  The application is based on [this](https://github.com/eugenp/tutorials/tree/master/spring-remoting/remoting-http).
File Snapshot

 [4.0K]  /data/pocs/f5566a22ffce523a426ab48a1f16406044624a1a
├── [4.0K]  api
│   ├── [ 534]  pom.xml
│   └── [4.0K]  src
│       └── [4.0K]  main
│           └── [4.0K]  java
│               └── [4.0K]  com
│                   └── [4.0K]  gypsyengineer
│                       └── [4.0K]  api
│                           ├── [ 160]  BookingException.java
│                           ├── [ 389]  Booking.java
│                           └── [ 140]  CabBookingService.java
├── [4.0K]  client
│   ├── [1.2K]  pom.xml
│   └── [4.0K]  src
│       └── [4.0K]  main
│           ├── [4.0K]  java
│           │   └── [4.0K]  com
│           │       └── [4.0K]  gypsyengineer
│           │           └── [4.0K]  client
│           │               ├── [1015]  Client.java
│           │               └── [1.0K]  Exploit.java
│           └── [4.0K]  resources
│               └── [ 372]  logback.xml
├── [ 532]  create_codeql_db.sh
├── [1.0K]  LICENSE
├── [ 144]  logging.properties
├── [2.0K]  payload.bin
├── [1.6K]  pom.xml
├── [1.7K]  README.md
└── [4.0K]  server
    ├── [1.1K]  pom.xml
    └── [4.0K]  src
        ├── [4.0K]  main
        │   ├── [4.0K]  java
        │   │   └── [4.0K]  com
        │   │       └── [4.0K]  gypsyengineer
        │   │           └── [4.0K]  server
        │   │               ├── [ 566]  CabBookingServiceImpl.java
        │   │               ├── [ 950]  Server.java
        │   │               └── [ 249]  XmlConfiguration.java
        │   └── [4.0K]  resources
        │       ├── [ 928]  beans.xml
        │       └── [ 372]  logback.xml
        └── [4.0K]  test
            └── [4.0K]  java
                └── [4.0K]  org
                    └── [4.0K]  gypsyengineer
                        └── [ 437]  SpringContextTest.java

27 directories, 21 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.