POC详情: f5566a22ffce523a426ab48a1f16406044624a1a

来源
https://github.com/artem-smotrakov/cve-2016-1000027-poc
关联漏洞
标题: Vmware Spring Framework 代码问题漏洞 (CVE-2016-1000027)
描述:Vmware Spring Framework是美国威睿(Vmware)公司的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Pivotal Software Spring Framework 4.1.4版本中存在安全漏洞。攻击者可利用该漏洞执行代码。
描述
PoC for CVE-2016-1000027
介绍
# PoC for CVE-2016-1000027

This is a demo Spring Boolt application that is affected by [CVE-2016-1000027](https://nvd.nist.gov/vuln/detail/CVE-2016-1000027).

# Steps to reproduce the vulnerability

1. Start a vulnerable server `com.gypsyengineer.server.Server`.
2. Run `com.gypsyengineer.client.Exploit`.

The [`Exploit`](client/src/main/java/com/gypsyengineer/client/Exploit.java) class reads `payload.bin` and sends it to the vulnerable server.
`payload.bin` contains a payload generated by [ysoserial](https://github.com/frohoff/ysoserial).
The current `payload.bin` is `CommonsCollections5` that runs `gedit`:

```
java -jar target/ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections5 gedit > payload.bin
```

# How to fix an application that is affected by CVE-2016-1000027

The issue has not been fixed in Spring Framework. See https://github.com/spring-projects/spring-framework/issues/24434

Here is what can be done on application side.

1. The best way is to stop using `HttpInvokerServiceExporter` and `RemoteInvocationSerializingExporter` classes.
   They are already deprecated and will likely be remove in next versions of Spring Framework.
2. Do not accept untrusted data in the endpoints that are based on these vulnerable classes.
3. Use serialization filters that were introduced by JEP 290.

# Links

1.  [[R2] Pivotal Spring Framework HttpInvokerServiceExporter readRemoteInvocation Method Untrusted Java Deserialization](https://www.tenable.com/security/research/tra-2016-20)
1.  [OWASP: Deserialization of untrusted data](https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data)
1.  The application is based on [this](https://github.com/eugenp/tutorials/tree/master/spring-remoting/remoting-http).
文件快照

 [4.0K]  /data/pocs/f5566a22ffce523a426ab48a1f16406044624a1a
├── [4.0K]  api
│   ├── [ 534]  pom.xml
│   └── [4.0K]  src
│       └── [4.0K]  main
│           └── [4.0K]  java
│               └── [4.0K]  com
│                   └── [4.0K]  gypsyengineer
│                       └── [4.0K]  api
│                           ├── [ 160]  BookingException.java
│                           ├── [ 389]  Booking.java
│                           └── [ 140]  CabBookingService.java
├── [4.0K]  client
│   ├── [1.2K]  pom.xml
│   └── [4.0K]  src
│       └── [4.0K]  main
│           ├── [4.0K]  java
│           │   └── [4.0K]  com
│           │       └── [4.0K]  gypsyengineer
│           │           └── [4.0K]  client
│           │               ├── [1015]  Client.java
│           │               └── [1.0K]  Exploit.java
│           └── [4.0K]  resources
│               └── [ 372]  logback.xml
├── [ 532]  create_codeql_db.sh
├── [1.0K]  LICENSE
├── [ 144]  logging.properties
├── [2.0K]  payload.bin
├── [1.6K]  pom.xml
├── [1.7K]  README.md
└── [4.0K]  server
    ├── [1.1K]  pom.xml
    └── [4.0K]  src
        ├── [4.0K]  main
        │   ├── [4.0K]  java
        │   │   └── [4.0K]  com
        │   │       └── [4.0K]  gypsyengineer
        │   │           └── [4.0K]  server
        │   │               ├── [ 566]  CabBookingServiceImpl.java
        │   │               ├── [ 950]  Server.java
        │   │               └── [ 249]  XmlConfiguration.java
        │   └── [4.0K]  resources
        │       ├── [ 928]  beans.xml
        │       └── [ 372]  logback.xml
        └── [4.0K]  test
            └── [4.0K]  java
                └── [4.0K]  org
                    └── [4.0K]  gypsyengineer
                        └── [ 437]  SpringContextTest.java

27 directories, 21 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。