Unauthenticated Vulnerability Reported in Spring Application
/ 3 min read
Quick take - A former student has reported an unpatched vulnerability in a Spring application that could allow for remote code execution through specific file upload handling and configuration manipulation, highlighting the need for further investigation into potential exploitation methods.
Fast Facts
- A former student reported an unauthenticated vulnerability in a Spring application related to file uploads, which remains unpatched.
- The vulnerability allows for potential remote code execution by manipulating application properties through specific file extensions.
- The investigation revealed that Tomcat processes configuration files in a specific order, leading to the discovery of a significant property in Spring Common Application Properties.
- The author demonstrated exploitation by reconfiguring the log-back library via a URL, indicating multiple methods for remote code execution.
- Further research into the Spring framework is encouraged to uncover additional vulnerabilities and exploitation vectors.
Unauthenticated Vulnerability in Spring Application
A former student has reported an unauthenticated vulnerability in a Spring application that remains unpatched. The vulnerability is demonstrated through mock-up code, which outlines a process for handling file uploads.
File Upload Process
The code checks if the filename has specific allowed extensions. If the extension is not on the allow list, an exception is thrown, preventing the upload. If the extension is permitted, the code proceeds to write the uploaded file to the server. The filename is acquired without the ability to perform directory traversals. By default, the service writes files in the base directory of the Tomcat server.
The author of the report was inspired by a friend’s method of exploiting jailed file write capabilities for remote code execution. An initial assessment suggested that the limited file write capabilities would make exploitation challenging. However, the author identified two file extensions that could be potentially interesting for exploitation.
Investigation and Findings
The author noted that Tomcat processes certain file types, which warranted further investigation. During this investigation, an invalid file was placed in the directory. This action resulted in a stack trace that indicated an attempt to load a non-existent file. The Listener in Tomcat attempts to load application configuration files in a specific order: properties, XML, YAML, and YAML files. This order provided clues for further exploration.
Subsequently, the author found relevant documentation on Spring Common Application Properties. A specific property related to the environment was identified as significant. The flow of the code allows for properties to be set on the environment using the identified vulnerability. This capability enables an attacker to control the property that is parsed and utilized within the application. The argument’s flow can lead to a call that allows for remote code execution.
Proof of Concept and Further Research
To illustrate the vulnerability, the author provided a proof of concept. The exploitation method described involved reconfiguring the log-back library via a URL. This showcased how an attacker could manipulate the application’s logging configuration. The author also noted that there are likely other methods to achieve remote code execution, indicating that the scope of the vulnerability extends beyond the initial findings.
Additionally, other potential vectors for exploitation were identified, including defining log file paths and utilizing JDBC. The author encourages further research into the Spring framework to uncover additional vulnerabilities, suggesting that this is an area ripe for exploration and scrutiny. References to the original article and related content were provided to support the findings, encouraging further investigation into this pressing issue.
Original Source: Read the Full Article Here
