POC详情: 342b051aa50fa77d7a8f3142df17b82ba8ff6db6

来源
关联漏洞
标题: VMware Spring Security 安全漏洞 (CVE-2022-31692)
描述:VMware Spring Security是美国威睿(VMware)公司的一套为基于Spring的应用程序提供说明性安全保护的安全框架。 VMware Spring Security 5.7.5之前的5.7.x版本和5.6.9之前的5.6.x版本存在安全漏洞,该漏洞源于可能容易受到通过转发或包含调度程序类型绕过授权规则的影响。
描述
A project demonstrating an app that is vulnerable to Spring Security authorization bypass CVE-2022-31692
介绍
# CVE-2022-31692 Demo

## Overview
A simple Spring Boot application demonstrating configuration that is vulnerable to [CVE-2022-31692](https://tanzu.vmware.com/security/cve-2022-31692).

This vulnerability may attract attention due to its severity - it has a CVSS 3.x base score of 9.8 as it allows authentication bypass. 
The purpose of this project is to demonstrate the conditions described in the advisory, which lead to the vulnerability being applicable.
- The application expects that Spring Security applies security to forward and include dispatcher types.
- The application uses the `AuthorizationFilter` either manually or via the `authorizeHttpRequests()` method.
- The application configures the `FilterChainProxy` to apply to forward and/or include requests (e.g. `spring.security.filter.dispatcher-types = request, error, async, forward, include`).
- The application may forward or include the request to a higher privilege-secured endpoint.
- The application configures Spring Security to apply to every dispatcher type via `authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)`

For reference, I'm pretty sure [this](https://github.com/spring-projects/spring-security/commit/1f481aafff14f324ffe2b43a973d3d5f54ae92d4) is the commit 
that addresses the vulnerability.

## Demonstration
The application has three URLs:
1. `/` The index page
2. `/admin` An admin page, which requires the user to provide Basic auth (creds "user"/"pass") and be assigned the ROLE_ADMIN role
3. `/forward` A server-side forward to the admin page

Access controls are specified via authorizeHttpRequests() in the SecurityConfig class.

	.authorizeHttpRequests((authz) -> authz
		.antMatchers("/").permitAll()
		.antMatchers("/forward").permitAll()
		.antMatchers("/admin").hasAuthority("ROLE_ADMIN")
		.shouldFilterAllDispatcherTypes(true)
	)

### Expected behaviours

1. User accesses `/` and is not authenticated (thanks to `permitAll()`)

2. User accesses `/admin` . They don't provide authentication, and the request is rejected (401 Not authorized).

3. User accesses `/admin` . They provide valid authentication, but the request is still rejected (403 Unauthorised) 
because they do not have the required role `.hasAuthority("ROLE_ADMIN")`.

4. User accesses `/forward`. Their requests passes through the security filter chain for GET /forward, which passes 
as valid (thanks to `permitAll()`). The controller processes the request, and returns `forward:/admin` to the Dispatcher. 
As instructed by the `spring.security.filter.dispatcher-types` and `.shouldFilterAllDispatcherTypes(true)` settings, 
this is a FORWARD type, so should be passed through the filter chain again. This second pass through the filter results 
in the request being rejected (again, thanks to `hasAuthority("ROLE_ADMIN")`).

### Actual behaviour
User accesses `/forward`, the request is passed through the filter chain once, and passes as valid. The forward is 
processed, but instead of being passed through the chain again, it is just passed as valid, and the admin page is
returned.
文件快照

[4.0K] /data/pocs/342b051aa50fa77d7a8f3142df17b82ba8ff6db6 ├── [ 10K] mvnw ├── [6.6K] mvnw.cmd ├── [2.0K] pom.xml ├── [3.0K] README.md └── [4.0K] src ├── [4.0K] main │   ├── [4.0K] java │   │   └── [4.0K] com │   │   └── [4.0K] spindlesec │   │   └── [4.0K] poc │   │   └── [4.0K] springauthbypass │   │   ├── [ 348] Cve202231692DemoApplication.java │   │   ├── [1.3K] SecurityConfig.java │   │   └── [ 423] WebController.java │   └── [4.0K] resources │   ├── [ 262] application.properties │   └── [4.0K] templates │   ├── [ 222] adminpage.html │   └── [ 558] index.html └── [4.0K] test └── [4.0K] java └── [4.0K] com └── [4.0K] spindlesec └── [4.0K] poc └── [4.0K] springauthbypass └── [ 236] Cve202231692PocApplicationTests.java 15 directories, 11 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。