Spring Cloud Function RCE
date
Mar 24, 2022
slug
spring-cloud-function-rce
status
Published
tags
Java安全
安全研究
summary
自从有了Gateway的RCE之后,后续我感觉Spring Cloud 的其他组件也是挖掘漏洞的重点,这个果然又成为了下一个目标
type
Post
自从有了Gateway的RCE之后,后续我感觉Spring Cloud 的其他组件也是挖掘漏洞的重点
这个果然又成为了下一个目标:
Spring Cloud Function 是基于Spring Boot 的函数计算框架(FaaS),该项目提供了一个通用的模型,用于在各种平台上部署基于函数的软件,包括像 Amazon AWS Lambda 这样的 FaaS(函数即服务,function as a service)平台。它抽象出所有传输细节和基础架构,允许开发人员保留所有熟悉的工具和流程,并专注于业务逻辑。
搭建环境
直接选择Spring web和Cloud组件里面的Function就好,⚠️ 可能pom还需要修改一下版本
查看diff
学习一下怎么看测试案例,在这个洞修复的官方commit里面,存在三个修改文件,其中一个是修复的文件内容,另外一个是测试案例,这个内容是放在test里面的,以后看diff就需要注意了
其中修复的文件内容新添加上SimpleEvaluationContext作为修复
另外一个测试案例里面则暴露了poc,可以看到触发条件就应该在头部加上
spring.cloud.function.routing-expression
调试就能够成功触发:
看到其他文章里面说需要进行配置,其实不需要
在官方文档里面是这么描述的,已经把这个东西加进路由了
断点调试
调用栈对比上一个SpringCloud的漏洞还是有所不同的,中间件使用了Tomcat
functionFromExpression:201, RoutingFunction (org.springframework.cloud.function.context.config)
route:127, RoutingFunction (org.springframework.cloud.function.context.config)
apply:86, RoutingFunction (org.springframework.cloud.function.context.config)
doApply:699, SimpleFunctionRegistry$FunctionInvocationWrapper (org.springframework.cloud.function.context.catalog)
apply:551, SimpleFunctionRegistry$FunctionInvocationWrapper (org.springframework.cloud.function.context.catalog)
processRequest:100, FunctionWebRequestProcessingHelper (org.springframework.cloud.function.web.util)
post:111, FunctionController (org.springframework.cloud.function.web.mvc)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
doInvoke:205, InvocableHandlerMethod (org.springframework.web.method.support)
invokeForRequest:150, InvocableHandlerMethod (org.springframework.web.method.support)
invokeAndHandle:117, ServletInvocableHandlerMethod (org.springframework.web.servlet.mvc.method.annotation)
invokeHandlerMethod:895, RequestMappingHandlerAdapter (org.springframework.web.servlet.mvc.method.annotation)
handleInternal:808, RequestMappingHandlerAdapter (org.springframework.web.servlet.mvc.method.annotation)
handle:87, AbstractHandlerMethodAdapter (org.springframework.web.servlet.mvc.method)
doDispatch:1067, DispatcherServlet (org.springframework.web.servlet)
doService:963, DispatcherServlet (org.springframework.web.servlet)
processRequest:1006, FrameworkServlet (org.springframework.web.servlet)
doPost:909, FrameworkServlet (org.springframework.web.servlet)
service:681, HttpServlet (javax.servlet.http)
service:883, FrameworkServlet (org.springframework.web.servlet)
service:764, HttpServlet (javax.servlet.http)
internalDoFilter:227, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:53, WsFilter (org.apache.tomcat.websocket.server)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:100, RequestContextFilter (org.springframework.web.filter)
doFilter:117, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:93, FormContentFilter (org.springframework.web.filter)
doFilter:117, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:96, WebMvcMetricsFilter (org.springframework.boot.actuate.metrics.web.servlet)
doFilter:117, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:201, CharacterEncodingFilter (org.springframework.web.filter)
doFilter:117, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
invoke:197, StandardWrapperValve (org.apache.catalina.core)
invoke:97, StandardContextValve (org.apache.catalina.core)
invoke:541, AuthenticatorBase (org.apache.catalina.authenticator)
invoke:135, StandardHostValve (org.apache.catalina.core)
invoke:92, ErrorReportValve (org.apache.catalina.valves)
invoke:78, StandardEngineValve (org.apache.catalina.core)
service:360, CoyoteAdapter (org.apache.catalina.connector)
service:399, Http11Processor (org.apache.coyote.http11)
process:65, AbstractProcessorLight (org.apache.coyote)
process:889, AbstractProtocol$ConnectionHandler (org.apache.coyote)
doRun:1743, NioEndpoint$SocketProcessor (org.apache.tomcat.util.net)
run:49, SocketProcessorBase (org.apache.tomcat.util.net)
runWorker:1191, ThreadPoolExecutor (org.apache.tomcat.util.threads)
run:659, ThreadPoolExecutor$Worker (org.apache.tomcat.util.threads)
run:61, TaskThread$WrappingRunnable (org.apache.tomcat.util.threads)
run:745, Thread (java.lang)需要从
org.springframework.cloud.function.web.mvc.FunctionController 这个类开始关注这个类开始处理post的路由:
然后会进入到
org.springframework.cloud.function.context.config.RoutingFunction#apply 方法,这个类就是漏洞出现的类
进入到route方法里面,在里面获取头部信息的内容进入到
functionFromExpression 执行SPEL表达式,完成整个利用,分析不算太复杂
总结
1.学会看git 的 commit内容,特别是测试案例里面的内容,有惊喜
2.SpringCloud的IDEA搭建技巧