Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2016-1000027 PoC — Vmware Spring Framework 代码问题漏洞

Source
https://github.com/artem-smotrakov/cve-2016-1000027-poc
Associated Vulnerability
Title:Vmware Spring Framework 代码问题漏洞 (CVE-2016-1000027)
Description:Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Description
PoC for CVE-2016-1000027
Readme
# PoC for CVE-2016-1000027

This is a demo Spring Boolt application that is affected by [CVE-2016-1000027](https://nvd.nist.gov/vuln/detail/CVE-2016-1000027).

# Steps to reproduce the vulnerability

1. Start a vulnerable server `com.gypsyengineer.server.Server`.
2. Run `com.gypsyengineer.client.Exploit`.

The [`Exploit`](client/src/main/java/com/gypsyengineer/client/Exploit.java) class reads `payload.bin` and sends it to the vulnerable server.
`payload.bin` contains a payload generated by [ysoserial](https://github.com/frohoff/ysoserial).
The current `payload.bin` is `CommonsCollections5` that runs `gedit`:

```
java -jar target/ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections5 gedit > payload.bin
```

# How to fix an application that is affected by CVE-2016-1000027

The issue has not been fixed in Spring Framework. See https://github.com/spring-projects/spring-framework/issues/24434

Here is what can be done on application side.

1. The best way is to stop using `HttpInvokerServiceExporter` and `RemoteInvocationSerializingExporter` classes.
   They are already deprecated and will likely be remove in next versions of Spring Framework.
2. Do not accept untrusted data in the endpoints that are based on these vulnerable classes.
3. Use serialization filters that were introduced by JEP 290.

# Links

1.  [[R2] Pivotal Spring Framework HttpInvokerServiceExporter readRemoteInvocation Method Untrusted Java Deserialization](https://www.tenable.com/security/research/tra-2016-20)
1.  [OWASP: Deserialization of untrusted data](https://owasp.org/www-community/vulnerabilities/Deserialization_of_untrusted_data)
1.  The application is based on [this](https://github.com/eugenp/tutorials/tree/master/spring-remoting/remoting-http).
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →