Spring Cloud Function RCE
date
Mar 24, 2022
slug
spring-cloud-function-rce
status
Published
tags
Java安全
安全研究
summary
自从有了Gateway的RCE之后,后续我感觉Spring Cloud 的其他组件也是挖掘漏洞的重点,这个果然又成为了下一个目标
type
Post
自从有了Gateway的RCE之后,后续我感觉Spring Cloud 的其他组件也是挖掘漏洞的重点
这个果然又成为了下一个目标:
Spring Cloud Function 是基于Spring Boot 的函数计算框架(FaaS),该项目提供了一个通用的模型,用于在各种平台上部署基于函数的软件,包括像 Amazon AWS Lambda 这样的 FaaS(函数即服务,function as a service)平台。它抽象出所有传输细节和基础架构,允许开发人员保留所有熟悉的工具和流程,并专注于业务逻辑。
搭建环境
直接选择Spring web和Cloud组件里面的Function就好,⚠️ 可能pom还需要修改一下版本
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2F4a8eb8d5-accc-4f1b-8dd3-50ca4bec1d64%2FUntitled.png%3Fid%3Ddc3e9a2d-3a69-4e52-8a4d-f59398f9357b%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722103200000%26signature%3DeoJmDhBzT7828YW03XYy92sbeSf8xRMYznMXMJgUqWk?table=block&id=dc3e9a2d-3a69-4e52-8a4d-f59398f9357b&cache=v2)
查看diff
学习一下怎么看测试案例,在这个洞修复的官方commit里面,存在三个修改文件,其中一个是修复的文件内容,另外一个是测试案例,这个内容是放在test里面的,以后看diff就需要注意了
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Fd8209389-e874-4479-81e4-6bf3b53e9713%2FUntitled.png%3Fid%3Da0533faf-6ebc-4fd5-92ab-28a06283dafb%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722103200000%26signature%3DP2vxKDhK3rFcP61mwIH1X93AI_5goZakoB5fOTdOG0s?table=block&id=a0533faf-6ebc-4fd5-92ab-28a06283dafb&cache=v2)
其中修复的文件内容新添加上SimpleEvaluationContext作为修复
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Fdc00f9da-8b95-4c75-96fa-69337afcacef%2FUntitled.png%3Fid%3D5b4cb62b-ed2a-4938-95cb-c0076d299a0a%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722103200000%26signature%3DB6HpVDteUAXlJ7iiAe6nK1CJXehD6vRQn2UpKi0VSro?table=block&id=5b4cb62b-ed2a-4938-95cb-c0076d299a0a&cache=v2)
另外一个测试案例里面则暴露了poc,可以看到触发条件就应该在头部加上
spring.cloud.function.routing-expression
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2F053c677c-2173-4706-a4cc-3e99b3ac623e%2FUntitled.png%3Fid%3Df377a1d4-231f-4e26-8cf0-f99d813ef301%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722103200000%26signature%3DeoQi_O7qq1J8hgBNbOtNXIBK7msboAcyFXtIchN_WS8?table=block&id=f377a1d4-231f-4e26-8cf0-f99d813ef301&cache=v2)
调试就能够成功触发:
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Fddafc60f-53f2-4d18-9dc0-89a3ac2bf499%2FUntitled.png%3Fid%3Dc61e8523-c965-447f-90d0-8986af8827c7%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722103200000%26signature%3DU8pJn8adpAedtSZEB4t0OrIw-wfBTzfZQ-BTSgO0uaM?table=block&id=c61e8523-c965-447f-90d0-8986af8827c7&cache=v2)
看到其他文章里面说需要进行配置,其实不需要
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Fa9bb4666-5588-42f2-8892-d66f34c24bfa%2FUntitled.png%3Fid%3D053ebe1d-459f-487e-b132-947a31a848df%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722103200000%26signature%3D_qp_AomgBGG43rJ9raZnpCaREgLAopTt1IZ559ktGyI?table=block&id=053ebe1d-459f-487e-b132-947a31a848df&cache=v2)
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Fa6aab9ad-a9ee-4477-8117-da8b17a07be6%2FUntitled.png%3Fid%3Db7db2f77-efd5-41d0-b244-23d1f105391c%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722103200000%26signature%3DujJle4f5nyBvSx3CdxnCyUVsoErV-5j60Z8pDdFMeOo?table=block&id=b7db2f77-efd5-41d0-b244-23d1f105391c&cache=v2)
在官方文档里面是这么描述的,已经把这个东西加进路由了
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2F61ee43ef-486a-4d29-8fdf-df19a47dc3ab%2FUntitled.png%3Fid%3D52594bfa-d169-413a-b41c-98faff8d2c9b%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722103200000%26signature%3DIB4bwmPY5CYnUIUnJeNopl-iQttp_27MCppzyVvpAnE?table=block&id=52594bfa-d169-413a-b41c-98faff8d2c9b&cache=v2)
断点调试
调用栈对比上一个SpringCloud的漏洞还是有所不同的,中间件使用了Tomcat
functionFromExpression:201, RoutingFunction (org.springframework.cloud.function.context.config)
route:127, RoutingFunction (org.springframework.cloud.function.context.config)
apply:86, RoutingFunction (org.springframework.cloud.function.context.config)
doApply:699, SimpleFunctionRegistry$FunctionInvocationWrapper (org.springframework.cloud.function.context.catalog)
apply:551, SimpleFunctionRegistry$FunctionInvocationWrapper (org.springframework.cloud.function.context.catalog)
processRequest:100, FunctionWebRequestProcessingHelper (org.springframework.cloud.function.web.util)
post:111, FunctionController (org.springframework.cloud.function.web.mvc)
invoke0:-1, NativeMethodAccessorImpl (sun.reflect)
invoke:62, NativeMethodAccessorImpl (sun.reflect)
invoke:43, DelegatingMethodAccessorImpl (sun.reflect)
invoke:498, Method (java.lang.reflect)
doInvoke:205, InvocableHandlerMethod (org.springframework.web.method.support)
invokeForRequest:150, InvocableHandlerMethod (org.springframework.web.method.support)
invokeAndHandle:117, ServletInvocableHandlerMethod (org.springframework.web.servlet.mvc.method.annotation)
invokeHandlerMethod:895, RequestMappingHandlerAdapter (org.springframework.web.servlet.mvc.method.annotation)
handleInternal:808, RequestMappingHandlerAdapter (org.springframework.web.servlet.mvc.method.annotation)
handle:87, AbstractHandlerMethodAdapter (org.springframework.web.servlet.mvc.method)
doDispatch:1067, DispatcherServlet (org.springframework.web.servlet)
doService:963, DispatcherServlet (org.springframework.web.servlet)
processRequest:1006, FrameworkServlet (org.springframework.web.servlet)
doPost:909, FrameworkServlet (org.springframework.web.servlet)
service:681, HttpServlet (javax.servlet.http)
service:883, FrameworkServlet (org.springframework.web.servlet)
service:764, HttpServlet (javax.servlet.http)
internalDoFilter:227, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilter:53, WsFilter (org.apache.tomcat.websocket.server)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:100, RequestContextFilter (org.springframework.web.filter)
doFilter:117, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:93, FormContentFilter (org.springframework.web.filter)
doFilter:117, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:96, WebMvcMetricsFilter (org.springframework.boot.actuate.metrics.web.servlet)
doFilter:117, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
doFilterInternal:201, CharacterEncodingFilter (org.springframework.web.filter)
doFilter:117, OncePerRequestFilter (org.springframework.web.filter)
internalDoFilter:189, ApplicationFilterChain (org.apache.catalina.core)
doFilter:162, ApplicationFilterChain (org.apache.catalina.core)
invoke:197, StandardWrapperValve (org.apache.catalina.core)
invoke:97, StandardContextValve (org.apache.catalina.core)
invoke:541, AuthenticatorBase (org.apache.catalina.authenticator)
invoke:135, StandardHostValve (org.apache.catalina.core)
invoke:92, ErrorReportValve (org.apache.catalina.valves)
invoke:78, StandardEngineValve (org.apache.catalina.core)
service:360, CoyoteAdapter (org.apache.catalina.connector)
service:399, Http11Processor (org.apache.coyote.http11)
process:65, AbstractProcessorLight (org.apache.coyote)
process:889, AbstractProtocol$ConnectionHandler (org.apache.coyote)
doRun:1743, NioEndpoint$SocketProcessor (org.apache.tomcat.util.net)
run:49, SocketProcessorBase (org.apache.tomcat.util.net)
runWorker:1191, ThreadPoolExecutor (org.apache.tomcat.util.threads)
run:659, ThreadPoolExecutor$Worker (org.apache.tomcat.util.threads)
run:61, TaskThread$WrappingRunnable (org.apache.tomcat.util.threads)
run:745, Thread (java.lang)
需要从
org.springframework.cloud.function.web.mvc.FunctionController
这个类开始关注这个类开始处理post的路由:
![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2F4169508c-ccac-45ec-bfbc-ad52f2faaa95%2FUntitled.png%3Fid%3Dee973500-572e-46db-85b3-0c19198c0799%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722103200000%26signature%3DQQp7knuyoflkQENV-xEcOK_r1Xu7jy6jqIeZiGtwumc?table=block&id=ee973500-572e-46db-85b3-0c19198c0799&cache=v2)
然后会进入到
org.springframework.cloud.function.context.config.RoutingFunction#apply
方法,这个类就是漏洞出现的类![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2F186bc59b-902c-4680-900c-d7e00a2f5d8c%2FUntitled.png%3Fid%3D7b4d10b0-9f6a-4b71-9b7b-b7f3d77f97b5%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722103200000%26signature%3DGTi6Bp5oWeGWtph4XOhMQ7QIFChQipVj6N1ZTPc2NMI?table=block&id=7b4d10b0-9f6a-4b71-9b7b-b7f3d77f97b5&cache=v2)
进入到route方法里面,在里面获取头部信息的内容进入到
functionFromExpression
执行SPEL表达式,完成整个利用,分析不算太复杂![notion image](https://www.notion.so/image/https%3A%2F%2Ffile.notion.so%2Ff%2Ff%2Fc113620e-b4a6-4a92-bee1-d70b242f1a2f%2Fc73b6ab7-1be1-4b8b-b4f3-7ef484c92ec7%2FUntitled.png%3Fid%3D01e88c2e-7068-4da7-978c-dad87343c54b%26table%3Dblock%26spaceId%3Dc113620e-b4a6-4a92-bee1-d70b242f1a2f%26expirationTimestamp%3D1722103200000%26signature%3Dpve7rJM0bOIRWrZgh_44PwwheyD1DL45OAFAfA6sCtw?table=block&id=01e88c2e-7068-4da7-978c-dad87343c54b&cache=v2)
总结
1.学会看git 的 commit内容,特别是测试案例里面的内容,有惊喜
2.SpringCloud的IDEA搭建技巧