个人网站 备案 类型,宽带开户多少钱,金融保险网站模板,推广平台使用漏洞概述
VMware Spring Framework是美国威睿#xff08;VMware#xff09;公司的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。
近期#xff0c;监测到Spring Framework在特定条件下#xff0c;存在目录遍历漏洞#xff08;网宿评分VMware公司的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。
近期监测到Spring Framework在特定条件下存在目录遍历漏洞网宿评分高危、CVSS 3.1 评分7.5 当同时满足使用 RouterFunctions 和 FileSystemResource 来处理和提供静态文件时攻击者可构造恶意请求遍历读取系统上的文件。 目前该漏洞POC状态已在互联网公开建议客户尽快做好自查及防护。
受影响版本
Spring Framework 5.3.0 - 5.3.39
Spring Framework 6.0.0 - 6.0.23
Spring Framework 6.1.0 - 6.1.12
其他更旧或者官方已不支持的版本
漏洞分析
根据漏洞描述https://spring.io/security/cve-2024-38816可知关键变更在于如何处理静态资源路径。 https://github.com/spring-projects/spring-framework/commit/d86bf8b2056429edf5494456cffcb2b243331c49#diff-25869a3e3b3d4960cb59b02235d71d192fdc4e02ef81530dd6a660802d4f8707R4 这里改了两处分别是
webflux -- org.springframework.web.reactive.function.server.PathResourceLookupFunction
webmvc -- org.springframework.web.servlet.function.PathResourceLookupFunction
它们都旨在为 Web 应用程序提供静态内容的访问。
以webmvc -- org.springframework.web.servlet.function.PathResourceLookupFunction为例展开分析。
先是动态处理了资源请求确保只返回有效并且可访问的资源。
Override
public OptionalResource apply(ServerRequest request) {PathContainer pathContainer request.requestPath().pathWithinApplication();if (!this.pattern.matches(pathContainer)) {return Optional.empty();}pathContainer this.pattern.extractPathWithinPattern(pathContainer);String path processPath(pathContainer.value());if (path.contains(%)) {path StringUtils.uriDecode(path, StandardCharsets.UTF_8);}if (!StringUtils.hasLength(path) || isInvalidPath(path)) {return Optional.empty();}try {Resource resource this.location.createRelative(path);if (resource.isReadable() isResourceUnderLocation(resource)) {return Optional.of(resource);}else {return Optional.empty();}}catch (IOException ex) {throw new UncheckedIOException(ex);}
}接着对路径字符串进行规范化处理确保返回的路径格式是有效的。
private String processPath(String path) {boolean slash false;for (int i 0; i path.length(); i) {if (path.charAt(i) /) {slash true;}else if (path.charAt(i) path.charAt(i) ! 127) {if (i 0 || (i 1 slash)) {return path;}path slash ? / path.substring(i) : path.substring(i);return path;}}return (slash ? / : );
}最后从安全角度确保路径不指向敏感目录并且避免出现路径穿越的情况。
private boolean isInvalidPath(String path) {if (path.contains(WEB-INF) || path.contains(META-INF)) {return true;}if (path.contains(:/)) {String relativePath (path.charAt(0) / ? path.substring(1) : path);if (ResourceUtils.isUrl(relativePath) || relativePath.startsWith(url:)) {return true;}}return path.contains(..) StringUtils.cleanPath(path).contains(../);
}简单阐明以后不难发现上述代码做了敏感目录检查、url检查、路径穿越检查等操作暂时没发现可疑点所以我们需要进一步跟进
org.springframework.web.servlet.function.PathResourceLookupFunction#isInvalidPath()
查看一下它检查相对路径时StringUtils.cleanPath()做了哪些操作。
public static String cleanPath(String path) {if (!hasLength(path)) {return path;}String normalizedPath;// Optimize when there is no backslashif (path.indexOf(\) ! -1) {normalizedPath replace(path, DOUBLE_BACKSLASHES, FOLDER_SEPARATOR);normalizedPath replace(normalizedPath, WINDOWS_FOLDER_SEPARATOR, FOLDER_SEPARATOR);}else {normalizedPath path;}String pathToUse normalizedPath;// Shortcut if there is no work to doif (pathToUse.indexOf(.) -1) {return pathToUse;}// Strip prefix from path to analyze, to not treat it as part of the// first path element. This is necessary to correctly parse paths like// file:core/../core/io/Resource.class, where the .. should just// strip the first core directory while keeping the file: prefix.int prefixIndex pathToUse.indexOf(:);String prefix ;if (prefixIndex ! -1) {prefix pathToUse.substring(0, prefixIndex 1);if (prefix.contains(FOLDER_SEPARATOR)) {prefix ;}else {pathToUse pathToUse.substring(prefixIndex 1);}}if (pathToUse.startsWith(FOLDER_SEPARATOR)) {prefix prefix FOLDER_SEPARATOR;pathToUse pathToUse.substring(1);}String[] pathArray delimitedListToStringArray(pathToUse, FOLDER_SEPARATOR);// we never require more elements than pathArray and in the common case the same numberDequeString pathElements new ArrayDeque(pathArray.length);int tops 0;for (int i pathArray.length - 1; i 0; i--) {String element pathArray[i];if (CURRENT_PATH.equals(element)) {// Points to current directory - drop it.}else if (TOP_PATH.equals(element)) {// Registering top path found.tops;}else {if (tops 0) {// Merging path element with element corresponding to top path.tops--;}else {// Normal path element found.pathElements.addFirst(element);}}}// All path elements stayed the same - shortcutif (pathArray.length pathElements.size()) {return normalizedPath;}// Remaining top paths need to be retained.for (int i 0; i tops; i) {pathElements.addFirst(TOP_PATH);}// If nothing else left, at least explicitly point to current path.if (pathElements.size() 1 pathElements.getLast().isEmpty() !prefix.endsWith(FOLDER_SEPARATOR)) {pathElements.addFirst(CURRENT_PATH);}final String joined collectionToDelimitedString(pathElements, FOLDER_SEPARATOR);// avoid string concatenation with empty prefixreturn prefix.isEmpty() ? joined : prefix joined;
}这个方法主要对用户输入路径做了规范化处理具体包括长度检查、不同操作系统下的路径分隔符处理等。看起来也做了严格的处理但这一步存在问题。
String[] pathArray delimitedListToStringArray(pathToUse, FOLDER_SEPARATOR);具体来说它是允许空元素存在的假设路径字符串形如
String pathToUse “/static///…/…/Windows/win.ini”;
那么调用 delimitedListToStringArray 方法以后pathArray即为
[“static”, “”, “”, “…”, “…”, “Windows”, “win.ini”]
而pathElements即为 再来看这一串String pathToUse “/static/…/…/Windows/win.ini”; 显然pathArray中存在空元素会影响上级目录的处理导致返回不同的结果即存在安全隐患。
漏洞复现
实现目录穿越需要用到…/结合上述分析可通过这种方式实现。 package org.example.demo; import org.springframework.util.ResourceUtils; import org.springframework.util.StringUtils; public class test { public static void main(String[] args) { String path “/static///…/…/Windows/win.ini”; System.out.println(isInvalidPath(path)); } private static boolean isInvalidPath(String path) { if (path.contains(“WEB-INF”) || path.contains(“META-INF”)) { return true; } if (path.contains(“”)) { String relativePath (path.charAt(0) ‘/’ path.substring(1) : path); if (ResourceUtils.isUrl(relativePath) || relativePath.startsWith(“url:”)) { return true; } } return path.contains(“…”) StringUtils.cleanPath(path).contains(“…/”); } } 但还需要结合上下文继续构造payload。首先路径以斜杠开头时StringUtils.cleanPath()方法会去掉路径的第个斜杠。
if (pathToUse.startsWith(FOLDER_SEPARATOR)) {prefix prefix FOLDER_SEPARATOR;pathToUse pathToUse.substring(1);
}那就需要多写一条/“构造”///…/跳一级目录。
而在最初的org.springframework.web.servlet.function.PathResourceLookupFunction#apply()中对路径做了规范化处理即去掉连续的/
pathContainer this.pattern.extractPathWithinPattern(pathContainer);
String path processPath(pathContainer.value());所以需要将多余的/“变为”再借助StringUtils.cleanPath()方法重新转换回来。
normalizedPath replace(normalizedPath, WINDOWS_FOLDER_SEPARATOR, FOLDER_SEPARATOR);修复方案
目前官方已有可更新版本建议受影响用户升级至最新版本
https://github.com/spring-projects/spring-framework/tags
产品支持
网宿全站防护-WAF已支持对该漏洞利用攻击的防护并持续挖掘分析其他变种攻击方式和各类组件漏洞第一时间上线防护规则缩短防护“空窗期”。
