CVE-2018-1273

https://github.com/vulhub/vulhub/tree/master/spring/CVE-2018-1273

https://sourcegraph.com/search?q=context:global+repo:%5Egithub%5C.com/spring-projects/spring-data-commons%24%402.0.6.RELEASE:%5E2.0.5.RELEASE+type:diff+spel&patternType=standard&sm=1&groupBy=path

https://sourcegraph.com/github.com/spring-projects/spring-data-commons/-/commit/ae1dd2741ce06d44a0966ecbd6f47beabde2b653?visible=1

概述

Spring Data Commons 远程命令执行漏洞（CVE-2018-1273）

Spring Data是一个用于简化数据库访问，并支持云服务的开源框架，Spring Data Commons是Spring Data下所有子项目共享的基础框架。Spring Data Commons 在2.0.5及以前版本中，存在一处SpEL表达式注入漏洞，攻击者可以注入恶意SpEL表达式以执行任意命令。

影响版本：

Spring Data Commons 1.13 - 1.13.10 (Ingalls SR10)

Spring Data REST 2.6 - 2.6.10 (Ingalls SR10)

Spring Data Commons 2.0 to 2.0.5 (Kay SR5)

Spring Data REST 3.0 - 3.0.5 (Kay SR5)

分析

搜索SpelExpressionParser可以定位到org.springframework.data.web.MapDataBinder.MapPropertyAccessor#setPropertyValue，但是无法往上追路径。

        @Override
        public void setPropertyValue(String propertyName, @Nullable Object value) throws BeansException {

            if (!isWritableProperty(propertyName)) {
                throw new NotWritablePropertyException(type, propertyName);
            }

            StandardEvaluationContext context = new StandardEvaluationContext();
            context.addPropertyAccessor(new PropertyTraversingMapAccessor(type, conversionService));
            context.setTypeConverter(new StandardTypeConverter(conversionService));
            context.setTypeLocator(typeName -> {
                throw new SpelEvaluationException(SpelMessage.TYPE_NOT_FOUND, typeName);
            });
            context.setRootObject(map);

            Expression expression = PARSER.parseExpression(propertyName);

            PropertyPath leafProperty = getPropertyPath(propertyName).getLeafProperty();
            TypeInformation<?> owningType = leafProperty.getOwningType();
            TypeInformation<?> propertyType = leafProperty.getTypeInformation();

            propertyType = propertyName.endsWith("]") ? propertyType.getActualType() : propertyType;

            if (propertyType != null && conversionRequired(value, propertyType.getType())) {

                PropertyDescriptor descriptor = BeanUtils.getPropertyDescriptor(owningType.getType(),
                        leafProperty.getSegment());

                if (descriptor == null) {
                    throw new IllegalStateException(String.format("Couldn't find PropertyDescriptor for %s on %s!",
                            leafProperty.getSegment(), owningType.getType()));
                }

                MethodParameter methodParameter = new MethodParameter(descriptor.getReadMethod(), -1);
                TypeDescriptor typeDescriptor = TypeDescriptor.nested(methodParameter, 0);

                if (typeDescriptor == null) {
                    throw new IllegalStateException(
                            String.format("Couldn't obtain type descriptor for method parameter %s!", methodParameter));
                }

                value = conversionService.convert(value, TypeDescriptor.forObject(value), typeDescriptor);
            }

            try {
                expression.setValue(context, value);
            } catch (SpelEvaluationException o_O) {
                throw new NotWritablePropertyException(type, propertyName, "Could not write property!", o_O);
            }
        }

修复分析

修复实际上就是将StandardEvaluationContext变成SimpleEvaluationContext。