Java Web Expression Injection

Original: http://netsecurity.51cto.com/art/201407/444548.htm

0x00 Introduction

On June 18, 2014 @ The ultimate practitioner has published such a microblog:

The content of the link is a service called Jenkins that can be attacked without password. While the attack method is interesting, Jenkins provides a script console feature that can execute the Groovy scripting language. Let's take a look at Wikipedia's explanation of this scripting language:

Groovy is an object-oriented programming language designed on the Java platform. This dynamic language has features similar to those in Python, Ruby, and Smalltalk, and can be used as a scripting language for the Java platform. Groovy's syntax is very similar to Java, so that most Java code is also the correct groovy code. Groovy code is dynamically converted to Java bytecode by the compiler. Because of its features running on the JVM, groovy can use libraries written in other Java languages.

Coincidentally, I have been studying the language of groovy for some time because I injected this attack direction in the attention expression. The language is simple and powerful, and I can execute system commands directly with a string. Here is a demo:

1. Java
2. Class Demo {
3. static void Main (args) {
4. def cmd = "Calc";
5. println "${cmd.execute ()}";
6. }
7. }

If you simply look at Jenkins, you may just think that this is a more interesting attack technique. But if we think about some of the previous loopholes, we can see that there is some kind of connection between these individuals.

May 2014: Cve-2014-3120,elasticsearch Remote Code Code Vulnerability 2013年5、6、7月: Struts2 remote Command execution vulnerability due to multiple OGNL December 2012: Foreign researcher @danamodio released the article "Remote-code-with-expression-language-injection"

The concatenation of these events has led me to write this article to introduce you to this new attack method (though it actually has been around for a long time), and we may have to deal with it for a long period, as we did with SQL injection, code execution, and command execution.

Its name is called Java Web expression Language Injection--java Web expressions Injection

0x01 Expression Injection Overview

April 15, 2013 Expression Language injection entry was created on owasp, and the earliest appearance of the word dates back to the December 2012 Remote-code-with-expression-language-injection, the first time this noun was mentioned in this paper.

In this period, we have been responding to this new vulnerability, but we are only calling it a remote code execution vulnerability, a remote command execution vulnerability, or a context manipulation vulnerability. such as the STRUTS2 series of s2-003, s2-009, s2-016, such as the OGNL expression caused by the command execution vulnerability.

As expression Language is used more and more widely, its attack surface also unfolds, so we feel it is necessary to start some research on this type of vulnerability, Expression Language Injection may even become the same as SQL injection in the future.

And the owasp of expression injection from the definition of remote-code-with-expression-language-injection, and the expression injected into the "paper", which is referred to in this article, can be seen in the present web-based exists only in Java Web Services. In the future of web development, other Web directions may also appear in the presence of expressions, so for the sake of caution, we call this Java WEB expression Language injection.

In the past this form of vulnerability, the power of this vulnerability is often very large, the most typical is like Struts2 's OGNL series of loopholes. And the cause of the vulnerability, is generally functional abuse or filtering is not strict two, the more representative example is STRUTS2 s2-16 (functional abuse) and s2-009 (filtering lax).

0x02 Some popular expression languages

We did a research project on the Java Web last year, and we did a bit more in-depth research on some Java web frameworks and programs. And for Java WEB Expression Injection (hereafter referred to as Jwei) also made a bit of accumulation, in this section I think it is necessary to introduce them to you to facilitate the start of future research work.

Below I will use the simplest possible language to introduce you to several simple popular expression languages and their basic usage (attack related), and the vulnerabilities they have caused.

Struts2--ognl

The well-deserved "king of loopholes" is the only expression language understood by both sides to be thorough enough.

Basic usage:

Javaactioncontext AC = Actioncontext.getcontext (); Map Parameters = (map) ac.getparameters (); String expression = "${(new Java.lang.ProcessBuilder (' calc ')"). Start ()} "; Ac.getvaluestack (). Findvalue (expression));

Related vulnerability:

s2-009, s2-012, s2-013, s2-014, s2-015, s2-016,s2-017

Spring--spel

Spel is the spring El, so the name Incredibles is the spring framework-specific EL expression. Relative to several other expression languages, the use of a relatively narrow, but from the spring framework is used in the broad sense, there is worth studying the value of. And there is a spring vulnerability of the command execution exploits, let the vulnerability found that the head hit the wall bump Bang Bang did not want to come out, and I have to solve with spel, we have to guess which loophole is ^_^.

Basic usage:

javastring expression = "T (java.lang.Runtime). GetRuntime (). EXEC (/" calc/")"; String result = parser.parseexpression (expression). GetValue (). toString ();

Related vulnerability:

No public vulnerability

Jsp--jstl_el

This expression is an expression that comes with the JSP language, meaning that all Java Web Services must support this expression. However, due to the differences in their implementation, some of the vulnerabilities can be successfully exploited in some Java Web services, and in some services is not available.

For example, the issues mentioned in the article "Remote-code-with-expression-language-injection" can be successfully implemented in GlassFish and resin environments, There is no way to achieve this in the Tomcat environment.

And Jstl_el is the object of attention, but also because of its 2.0 version appeared, in order to meet the needs, this version on the basis of the original function, added a lot of more powerful features.

It is not difficult to see from this point that, as the future progresses, the need for expressive language to achieve more powerful functions is growing, and the mainstream expression language expands these functions. And after the expansion, some of the original problems are not problems, but become a problem.

Basic usage:

1. Jsp
2. <spring:message text=
3. "${/"/". GetClass (). forname (/" java.lang.runtime/"). GetMethod (/" getruntime/", null). Invoke (Null,null) . EXEC (/"calc/", null). ToString ()} ">
4. </spring:message>

Related vulnerability:

cve-2011-2730

Elasticsearch--mvel

First of all, thanks to the vulnerability of the Elasticsearch cve-2014-3120, because when tracking this vulnerability, I began to focus on the value of the Java Web Expression Research and decided to start in-depth research into this direction.

Mvel is the same as OGNL and Spel, with the power to execute Java code through an expression.

Basic usage:

2. Java import Org.mvel.MVEL;
4. Public class Mveltest {
6. public static void Main (string[] args) {
8. String expression = "New Java.lang.ProcessBuilder (/" calc/"). Start ();";
10. Boolean result = (Boolean) mvel.eval (expression, VARs);
12. }
14. }

Related vulnerability:

cve-2014-3120

0X03 Summary

In future research on expression language, I'm going to target the research expression language into the same approach as SQL syntax. From what we've seen above for expression language analysis, Jwei attacks are similar to SQL injection attacks.

A variety of platform style, but the basic grammar must be in most cases due to splicing problems, or the user directly manipulate the expression, resulting in the attack from our future research, the Java Web Expression language will be used as a way to study.

In the research of Jwei vulnerability, we will study how programmers use expression language in programming. The specific method of operation will be the framework code corresponding to the expression language of the reading study. Try to find some rules and habits from it. Finally, some methods for mining and exploiting the expression injection vulnerability are summed up.

0x04 Extended Extension

In the study of expression languages, I also found some small details of Java Web vulnerabilities as I looked through the previous Java web materials. These details may not be as generic as the expression language, but are also potential vulnerabilities that cannot be ignored in the Java Web.

Deserialization of code execution

Serialization is a feature of Java that is often used in Web services to transmit information, which can lead to an attacker being able to implement an attack by passing code with malicious serialized content. Typical vulnerabilities are spring cve-2011-2894 and JBoss cve-2010-0738.

Triggering command execution with Java reflection

Reflection is a major feature of Java, and if there is no strict restriction on the behavior of the object during development, it is possible for the user to use the reflection mechanism to trigger a command execution attack by manipulating some controllable objects. The typical vulnerability is cve-2014-0112.

Implement code execution with some of the framework's features

This form of attack, based on some of the framework's characteristics, and most of the framework of the implementation of the function is very different, so this kind of attack is highly customizable. However, there are some commonalities between frameworks, such as the implementation and invocation of custom tag libraries, all of which are very similar. Typical vulnerabilities are cve-2010-1622.

Java Web Expression Injection