new keyword followed by an ASCII space, T (Spring Expression Language type references) and @ (SpEL bean references in some code paths). However, the check only looked for ASCII space 0x20 characters, but the SpEL’s parser also accepts tab (0x09), newline (0x0A), and other control characters between new and the class name.Another policy blocked classes that start with java.* from being used inside T() type references, but did not block types from org.springframework.*, ognl.*, or javax.*.”Since typical Spring applications have spring-core on the classpath, classes like org.springframework.core.io.FileSystemResource were freely constructable, and that class can create arbitrary files on disk,” the researchers said.As such, Endor Labs was able to easily build a proof-of-concept exploit by combining the two: use a tab character after new and calling the org.springframework.core.io.FileSystemResource class to create a file on disk.”With the right class, an attacker can escalate from file creation to full remote code execution, for example, instantiating a ProcessBuilder wrapper from a third-party library, or leveraging Spring’s own GenericApplicationContext to register and invoke arbitrary beans,” the researchers explained.Vulnerabilities in the Java Spring Framework itself have been exploited in the past to compromise web servers, so it’s likely that an easy-to-exploit flaw such as this one will be quickly adopted by attackers.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4160520/critical-sandbox-bypass-fixed-in-popular-thymeleaf-java-template-engine.html
