Spring Cloud Config 路径穿越漏洞(CVE-2020-5405)深度分析与利用指南<\/h1>

漏洞概述<\/h2>

CVE-2020-5405是Spring Cloud Config中存在的一个路径穿越漏洞，允许攻击者通过精心构造的URL访问服务器上的任意文件。该漏洞影响以下版本：<\/p>

2.2.x系列至2.2.2版本<\/li>
2.1.x系列至2.1.7版本<\/li>

以及已停止更新的更早版本<\/li> <\/ul>

漏洞背景<\/h2>

Spring Cloud Config是一个为微服务架构提供集中化外部配置支持的组件，分为服务端和客户端两部分：<\/p>

服务端<\/strong>：分布式配置中心，连接配置服务器并为客户端提供获取配置信息的接口<\/li>

客户端<\/strong>：从指定配置中心获取和加载配置信息<\/li> <\/ul>
默认情况下，配置服务器使用git存储配置信息，便于版本管理和访问控制。<\/p>
漏洞复现<\/h2>
环境搭建<\/h3>

下载受影响版本(如2.1.5.RELEASE)：<\/p>
https:\/\/github.com\/spring-cloud\/spring-cloud-config\/archive\/v2.1.5.RELEASE.zip <\/code><\/pre> <\/li> 修改配置文件src\/main\/resources\/configserver.yml<\/code>：<\/p> info<\/span>: <\/span><\/span> component<\/span>: Config Server<\/span> <\/span><\/span>spring<\/span>: <\/span><\/span> application<\/span>: <\/span><\/span> name<\/span>: configserver<\/span> <\/span><\/span> autoconfigure.exclude<\/span>: org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration<\/span> <\/span><\/span> jmx<\/span>: <\/span><\/span> default_domain<\/span>: cloud.config.server<\/span> <\/span><\/span> profiles<\/span>: <\/span><\/span> active<\/span>: native<\/span> <\/span><\/span> cloud<\/span>: <\/span><\/span> config<\/span>: <\/span><\/span> server<\/span>: <\/span><\/span> native<\/span>: <\/span><\/span> search-locations<\/span>: <\/span><\/span> - file:\/\/\/Users\/rai4over\/Desktop\/spring-cloud-config-2.1.5\/config-repo<\/span> <\/span><\/span> <\/span><\/span>server<\/span>: <\/span><\/span> port<\/span>: 8888<\/span> <\/span><\/span>management<\/span>: <\/span><\/span> context_path<\/span>: \/admin<\/span> <\/span><\/span><\/code><\/pre><\/li> 运行org.springframework.cloud.config.server.ConfigServerApplication<\/code><\/p> <\/li> <\/ol> 漏洞利用POC<\/h3> 基本利用方式：<\/p> http:\/\/127.0.0.1:8888\/1\/1\/..(_)..(_)..(_)..(_)..(_)..(_)..(_)..(_)..(_)etc\/passwd <\/code><\/pre> URL编码变形：<\/p> http:\/\/127.0.0.1:8888\/1\/1\/..%28_%29..%28_%29..%28_%29..%28_%29..%28_%29..%28_%29..%28_%29..%28_%29etc\/passwd <\/code><\/pre> 漏洞分析<\/h2> 请求处理流程<\/h3> 请求路由到ResourceController#retrieve<\/code>方法，路径结构为\/{name}\/{profile}\/{label}\/{path}<\/code><\/p> name<\/code>: 仓库名称(解析为1)<\/li> profile<\/code>: 配置文件环境(解析为1)<\/li> label<\/code>: git分支名(解析为..(_)..(_)..(_)..(_)..(_)..(_)..(_)..(_)..(_)etc<\/code>)<\/li> path<\/code>: 文件路径(解析为passwd<\/code>)<\/li> <\/ul> <\/li> 关键处理函数：<\/p> resolveName<\/code>: 替换name中的(_)<\/code>，本例中name不变<\/li> resolveLabel<\/code>: 将..(_)<\/code>替换为..\/<\/code>，最终label变为..\/..\/..\/..\/..\/..\/..\/..\/..\/etc<\/code><\/li> <\/ul> <\/li> GenericResourceRepository#findOne<\/code>处理：<\/p> 获取配置的搜索路径(search-locations<\/code>)<\/li> 通过getProfilePaths<\/code>生成可能的文件路径集合<\/li> 进行安全检查(isInvalidPath<\/code>和isInvalidEncodedPath<\/code>)<\/li> <\/ul> <\/li> <\/ol> 安全绕过机制<\/h3> 漏洞核心在于：<\/p> 路径中的(_)<\/code>被替换为\/<\/code>，但安全检查未完全覆盖这种变形<\/li> 安全检查函数(isInvalidPath<\/code>和isInvalidEncodedPath<\/code>)主要检测： WEB-INF<\/code>和META-INF<\/code>路径<\/li> URL格式路径<\/li> 直接的..\/<\/code>路径遍历<\/li> <\/ul> <\/li> 但未检测..(_)<\/code>这种变形形式，导致可以绕过路径检查<\/li> <\/ol> 补丁分析<\/h2> 官方修复提交：<\/p> https:\/\/github.com\/spring-cloud\/spring-cloud-config\/commit\/651f458919c40ef9a5e93e7d76bf98575910fad0 <\/code><\/pre> 主要修复内容：<\/p> 在GenericResourceRepository<\/code>中新增isInvalidLocation<\/code>方法<\/li> 在findOne<\/code>函数中增加对..<\/code>的严格检测<\/li> 强化了路径规范化处理<\/li> <\/ol> 防御建议<\/h2> 升级到安全版本：<\/p> 2.2.x用户升级到2.2.3+<\/li> 2.1.x用户升级到2.1.8+<\/li> <\/ul> <\/li> 配置限制：<\/p> 严格限制search-locations<\/code>的目录范围<\/li> 避免使用高权限账户运行服务<\/li> <\/ul> <\/li> 网络层面：<\/p> 配置WAF规则拦截包含..(_)<\/code>的异常请求<\/li> 限制外部访问配置服务器的权限<\/li> <\/ul> <\/li> <\/ol> 参考资源<\/h2> 官方漏洞公告：<\/p> https:\/\/pivotal.io\/security\/cve-2020-5405 <\/code><\/pre> <\/li> Spring Cloud Config文档：<\/p> https:\/\/cloud.spring.io\/spring-cloud-static\/spring-cloud.html#_serving_plain_text <\/code><\/pre> <\/li> 相关技术分析：<\/p> http:\/\/www.lmxspace.com\/2019\/04\/26\/Spring-Cloud-Config-Server-%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E5%88%86%E6%9E%90\/ <\/code><\/pre> <\/li> 漏洞复现项目：<\/p> https:\/\/github.com\/DSO-Lab\/defvul\/tree\/master\/CVE-2020-5405_SpringCloudConfig <\/code><\/pre> <\/li> <\/ol>