CVE-2017-4971: Spring WebFlow remote code execution vulnerability analysis-vulnerability warning-the black bar safety net

Spring severe of these vulnerabilities have traditionally not too much, before the more serious that problem is Spring’s JavaBean automatic binding function, the result can be control class, which can lead to the use of certain characteristics of the execution of arbitrary code, but that vulnerability is relatively tasteless, not every time triggered.
Since the Spring Framework is growing, and later introduced SpringEl as the default expression parsing mode, so once the introduction is similar to OGNL expressions, it may bring some security issues, the vulnerability is due to the Spring WebFlow data-binding problems caused by the expression injection, resulting in arbitrary code execution.
Vulnerability description
This vulnerability is in year 6 at the beginning has just been submitted to https://pivotal. the io/security/cve-2017-4971, official and no detailed information, by the official Description and a patch of the contrast, we can roughly infer should be Spring WebFlow in the Model of the binding data above, since there is no explicitly specified relevant model of specific properties resulting from the form can be submitted to the malicious expressions to be executed, resulting in arbitrary code execution vulnerability, this vulnerability is used in addition to the version outside the limits there are two pre-conditions, the two pre-conditions there is one default configuration, the other one is coding specification, a vulnerability can use success mainly depends on the back of the conditions.
Overall this vulnerability hazards should still have some, if meet the 2 pre-conditions, then the direct RCE is no problem. In the analysis of this vulnerability is needed before some of the Spring Webflow basics 给大家推荐这篇文章https://www.ibm.com/developerworks/cn/education/java/j-spring-webflow/index.html the.
Vulnerability analysis
At the beginning I also unclear this loophole in the end is how the trigger for this vulnerability understand, it is best to look at Spring WebFlow tutorial, understand the inside the view-state is what, here, but more on Spring WebFlow the basics of too much explanation, then we look directly at the patches, as in the following figure
! [](/Article/UploadPic/2017-6/2017612192417597. png? www. myhack58. com)
We found here addEmptyValueMapping(DefaultMapper mapper, String field, Object model) this method inside the expression parsing implementation class for replace, the direct use of the BeanWrapperExpressionParser to resolve, on the class behind us and then the detail, then know that trigger the vulnerability function, we can use Eclipse or Spring Tools to track down the function call stack, as follows:
! [](/Article/UploadPic/2017-6/2017612192417269. png? www. myhack58. com)
By calling the relationship we can find a total of the following two function calls addEmptyValueMapping method
addDefaultMappings(DefaultMapper mapper, Set parameterNames, Object model)
addModelBindings(DefaultMapper mapper, Set parameterNames, Object model)
Here by invoking the relationship we can probably figure out what Spring WebFlow execution order and the process, by the flowcontroller decides to request to which the handler is to perform the specific process, here we need to know when the user requests to view the status of processing, will determine the current event with the next execution of the process, while for the configuration file we configure the view-state element, if we specify a data model, then it will automatically perform the data binding, the xml structure is as follows(here, to the official of the example in the book project as an example)
! [](/Article/UploadPic/2017-6/2017612192417858. png? www. myhack58. com)
Anyway, this vulnerability occurs because it is in the view-state node in the data-binding, we continue to track addEmptyValueMapping method the calling procedure, here through the eclipse we can find the bind method indirectly calls the addEmptyValueMapping function,
! [](/Article/UploadPic/2017-6/2017612192417651. png? www. myhack58. com)
Here we know addEmptyValueMapping a function of the presence of the expression execution points, we now turn to a detailed look at this addEmptyValueMapping function, as in the following figure
! [](/Article/UploadPic/2017-6/2017612192417540. png? www. myhack58. com)
Here we can see, only the control of the field parameters in order to trigger the vulnerability, so our focus is to find there is no point we can control so that the control field parameters for arbitrary code execution, where clear objectives, we are looking back addDefaultMappings and addModelBindings these two functions, since both functions are calling the defective function, then we see that the two functions what is the difference, and the function control field parameters, the two functions of the differences are as follows
! [](/Article/UploadPic/2017-6/2017612192417690. png? www. myhack58. com)
Here the more obvious difference is the addModelBindings function for (Binding binding : binderConfiguration. getBindings()) the existence of such a cycle, and this is the cycle of the control determines the field value of the parameter, after further analysis, here the control field parameters, the decisive factor is the binderConfiguration this variable is the control value, here through the source code of the track we can find, binderConfiguration the value of the function is webflow-*. xml view-state in a binder node configuration, so the value of this function is derived from the configuration file, so this function we can not control, and thus unable to trigger the vulnerability, so we focus on the look addDefaultMappings this function, we found addDefaultMappings we can control field parameters, so we focus on to see how to trigger this function.
Now we can basically determine the addDefaultMappings function we trigger the vulnerability the critical points, then as shown in the above Figure, the bing function call these two functions, then we can be seen only when the binderConfiguration empty in order to trigger our vulnerability, then we have also said binderConfiguration this value is determined by the configuration file whether there is a binder node to control The to note here is that the program execution to the bind method of the pre-conditions is the view-state node whether the configuration of the model properties, i.e., binding of the javabean object is what, and addDefaultMappings function parameterNames the parameter is what we from the form passed the value, so here the vulnerability of the process is triggered and the trigger condition is substantially clear, the trigger conditions are as follows:

[1] [2] next