This is a demo Spring Boolt application that is affected by CVE-2016-1000027.
- Start a vulnerable server
com.gypsyengineer.server.Server
. - Run
com.gypsyengineer.client.Exploit
.
The Exploit
class reads payload.bin
and sends it to the vulnerable server.
payload.bin
contains a payload generated by ysoserial.
The current payload.bin
is CommonsCollections5
that runs gedit
:
java -jar target/ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections5 gedit > payload.bin
The issue has not been fixed in Spring Framework. See spring-projects/spring-framework#24434
Here is what can be done on application side.
- The best way is to stop using
HttpInvokerServiceExporter
andRemoteInvocationSerializingExporter
classes. They are already deprecated and will likely be remove in next versions of Spring Framework. - Do not accept untrusted data in the endpoints that are based on these vulnerable classes.
- Use serialization filters that were introduced by JEP 290.