From 67626424dd664cc78b8a1033e20f31320eff8cad Mon Sep 17 00:00:00 2001
From: wq_Ji <sy2239110@buaa.edu.cn>
Date: Mon, 20 Mar 2023 17:12:34 +0800
Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-31692?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 cve/java-spring/2022/CVE-2022-31692/README.md | 50 +++++++++++++++++++
 .../Cve202231692DemoApplication.java          | 13 +++++
 .../poc/springauthbypass/SecurityConfig.java  | 40 +++++++++++++++
 .../poc/springauthbypass/WebController.java   | 23 +++++++++
 .../src/main/resources/application.properties |  3 ++
 .../main/resources/templates/adminpage.html   |  5 ++
 .../src/main/resources/templates/index.html   |  9 ++++
 .../Cve202231692PocApplicationTests.java      | 13 +++++
 cve/java-spring/2022/yaml/CVE-2022-31692.yaml | 24 +++++++++
 openkylin_list.yaml                           |  1 +
 10 files changed, 181 insertions(+)
 create mode 100644 cve/java-spring/2022/CVE-2022-31692/README.md
 create mode 100644 cve/java-spring/2022/CVE-2022-31692/src/main/java/com/spindlesec/poc/springauthbypass/Cve202231692DemoApplication.java
 create mode 100644 cve/java-spring/2022/CVE-2022-31692/src/main/java/com/spindlesec/poc/springauthbypass/SecurityConfig.java
 create mode 100644 cve/java-spring/2022/CVE-2022-31692/src/main/java/com/spindlesec/poc/springauthbypass/WebController.java
 create mode 100644 cve/java-spring/2022/CVE-2022-31692/src/main/resources/application.properties
 create mode 100644 cve/java-spring/2022/CVE-2022-31692/src/main/resources/templates/adminpage.html
 create mode 100644 cve/java-spring/2022/CVE-2022-31692/src/main/resources/templates/index.html
 create mode 100644 cve/java-spring/2022/CVE-2022-31692/src/test/java/com/spindlesec/poc/springauthbypass/Cve202231692PocApplicationTests.java
 create mode 100644 cve/java-spring/2022/yaml/CVE-2022-31692.yaml

diff --git a/cve/java-spring/2022/CVE-2022-31692/README.md b/cve/java-spring/2022/CVE-2022-31692/README.md
new file mode 100644
index 00000000..8483b57e
--- /dev/null
+++ b/cve/java-spring/2022/CVE-2022-31692/README.md
@@ -0,0 +1,50 @@
+# CVE-2022-31692 Demo
+
+## Overview
+A simple Spring Boot application demonstrating configuration that is vulnerable to [CVE-2022-31692](https://tanzu.vmware.com/security/cve-2022-31692).
+
+This vulnerability may attract attention due to its severity - it has a CVSS 3.x base score of 9.8 as it allows authentication bypass. 
+The purpose of this project is to demonstrate the conditions described in the advisory, which lead to the vulnerability being applicable.
+- The application expects that Spring Security applies security to forward and include dispatcher types.
+- The application uses the `AuthorizationFilter` either manually or via the `authorizeHttpRequests()` method.
+- The application configures the `FilterChainProxy` to apply to forward and/or include requests (e.g. `spring.security.filter.dispatcher-types = request, error, async, forward, include`).
+- The application may forward or include the request to a higher privilege-secured endpoint.
+- The application configures Spring Security to apply to every dispatcher type via `authorizeHttpRequests().shouldFilterAllDispatcherTypes(true)`
+
+For reference, I'm pretty sure [this](https://github.com/spring-projects/spring-security/commit/1f481aafff14f324ffe2b43a973d3d5f54ae92d4) is the commit 
+that addresses the vulnerability.
+
+## Demonstration
+The application has three URLs:
+1. `/` The index page
+2. `/admin` An admin page, which requires the user to provide Basic auth (creds "user"/"pass") and be assigned the ROLE_ADMIN role
+3. `/forward` A server-side forward to the admin page
+
+Access controls are specified via authorizeHttpRequests() in the SecurityConfig class.
+
+	.authorizeHttpRequests((authz) -> authz
+		.antMatchers("/").permitAll()
+		.antMatchers("/forward").permitAll()
+		.antMatchers("/admin").hasAuthority("ROLE_ADMIN")
+		.shouldFilterAllDispatcherTypes(true)
+	)
+
+### Expected behaviours
+
+1. User accesses `/` and is not authenticated (thanks to `permitAll()`)
+
+2. User accesses `/admin` . They don't provide authentication, and the request is rejected (401 Not authorized).
+
+3. User accesses `/admin` . They provide valid authentication, but the request is still rejected (403 Unauthorised) 
+because they do not have the required role `.hasAuthority("ROLE_ADMIN")`.
+
+4. User accesses `/forward`. Their requests passes through the security filter chain for GET /forward, which passes 
+as valid (thanks to `permitAll()`). The controller processes the request, and returns `forward:/admin` to the Dispatcher. 
+As instructed by the `spring.security.filter.dispatcher-types` and `.shouldFilterAllDispatcherTypes(true)` settings, 
+this is a FORWARD type, so should be passed through the filter chain again. This second pass through the filter results 
+in the request being rejected (again, thanks to `hasAuthority("ROLE_ADMIN")`).
+
+### Actual behaviour
+User accesses `/forward`, the request is passed through the filter chain once, and passes as valid. The forward is 
+processed, but instead of being passed through the chain again, it is just passed as valid, and the admin page is
+returned.
diff --git a/cve/java-spring/2022/CVE-2022-31692/src/main/java/com/spindlesec/poc/springauthbypass/Cve202231692DemoApplication.java b/cve/java-spring/2022/CVE-2022-31692/src/main/java/com/spindlesec/poc/springauthbypass/Cve202231692DemoApplication.java
new file mode 100644
index 00000000..dbe37744
--- /dev/null
+++ b/cve/java-spring/2022/CVE-2022-31692/src/main/java/com/spindlesec/poc/springauthbypass/Cve202231692DemoApplication.java
@@ -0,0 +1,13 @@
+package com.spindlesec.poc.springauthbypass;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class Cve202231692DemoApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(Cve202231692DemoApplication.class, args);
+	}
+
+}
diff --git a/cve/java-spring/2022/CVE-2022-31692/src/main/java/com/spindlesec/poc/springauthbypass/SecurityConfig.java b/cve/java-spring/2022/CVE-2022-31692/src/main/java/com/spindlesec/poc/springauthbypass/SecurityConfig.java
new file mode 100644
index 00000000..41fe54ac
--- /dev/null
+++ b/cve/java-spring/2022/CVE-2022-31692/src/main/java/com/spindlesec/poc/springauthbypass/SecurityConfig.java
@@ -0,0 +1,40 @@
+package com.spindlesec.poc.springauthbypass;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Configuration
+public class SecurityConfig {
+
+	@Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+		http
+			.authorizeHttpRequests((authz) -> authz
+				.antMatchers("/").permitAll()
+				.antMatchers("/forward").permitAll()
+				.antMatchers("/admin").hasAuthority("ROLE_ADMIN")
+				.shouldFilterAllDispatcherTypes(true)
+			)
+			.httpBasic().and()
+			.userDetailsService(userDetailsService());
+        return http.build();
+    }
+	
+ 	private UserDetailsService userDetailsService() {
+ 		@SuppressWarnings("deprecation")
+		UserDetails user = User.withDefaultPasswordEncoder()
+ 			.username("user")
+ 			.password("pass")
+ 			.roles("USER")
+ 			.build();
+ 		return new InMemoryUserDetailsManager(user);
+ 	}
+
+
+}
diff --git a/cve/java-spring/2022/CVE-2022-31692/src/main/java/com/spindlesec/poc/springauthbypass/WebController.java b/cve/java-spring/2022/CVE-2022-31692/src/main/java/com/spindlesec/poc/springauthbypass/WebController.java
new file mode 100644
index 00000000..c5d4ce72
--- /dev/null
+++ b/cve/java-spring/2022/CVE-2022-31692/src/main/java/com/spindlesec/poc/springauthbypass/WebController.java
@@ -0,0 +1,23 @@
+package com.spindlesec.poc.springauthbypass;
+
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@Controller
+public class WebController {
+
+	@GetMapping("/admin")
+	public String admin() {
+		return "adminpage";
+	}
+
+	@GetMapping("/")
+	public String index() {
+		return "index";
+	}
+	
+	@GetMapping("/forward")
+	public String redirect() {
+		return "forward:/admin";
+	}
+}
diff --git a/cve/java-spring/2022/CVE-2022-31692/src/main/resources/application.properties b/cve/java-spring/2022/CVE-2022-31692/src/main/resources/application.properties
new file mode 100644
index 00000000..dea69bc1
--- /dev/null
+++ b/cve/java-spring/2022/CVE-2022-31692/src/main/resources/application.properties
@@ -0,0 +1,3 @@
+spring.security.filter.dispatcher-types = request, error, async, forward, include
+# Default value here is: [ASYNC, ERROR, REQUEST]. Include/forward are not present.
+# The vulnerability is only present where these dispatcher types are sent on to the filter chain.
\ No newline at end of file
diff --git a/cve/java-spring/2022/CVE-2022-31692/src/main/resources/templates/adminpage.html b/cve/java-spring/2022/CVE-2022-31692/src/main/resources/templates/adminpage.html
new file mode 100644
index 00000000..5214a245
--- /dev/null
+++ b/cve/java-spring/2022/CVE-2022-31692/src/main/resources/templates/adminpage.html
@@ -0,0 +1,5 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org" xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
+<head></head>
+<body><h1>Admin page</h1></body>
+</html>
\ No newline at end of file
diff --git a/cve/java-spring/2022/CVE-2022-31692/src/main/resources/templates/index.html b/cve/java-spring/2022/CVE-2022-31692/src/main/resources/templates/index.html
new file mode 100644
index 00000000..a81ab733
--- /dev/null
+++ b/cve/java-spring/2022/CVE-2022-31692/src/main/resources/templates/index.html
@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org" xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity3">
+<head></head>
+<body><h1>CVE-2022-31692</h1>
+<p>Username = user<br>Password = pass</p>
+<p><a href="/admin">Admin page</a> - requires authz with the admin role (which the supplied demo user doesn't have)</p>
+<p><a href="/forward">Forward page</a> - requires no authn/authz. a server-side forward to the admin page. Under vulnerable conditions, this bypasses authentication</p>
+</body>
+</html>
\ No newline at end of file
diff --git a/cve/java-spring/2022/CVE-2022-31692/src/test/java/com/spindlesec/poc/springauthbypass/Cve202231692PocApplicationTests.java b/cve/java-spring/2022/CVE-2022-31692/src/test/java/com/spindlesec/poc/springauthbypass/Cve202231692PocApplicationTests.java
new file mode 100644
index 00000000..ae485dcd
--- /dev/null
+++ b/cve/java-spring/2022/CVE-2022-31692/src/test/java/com/spindlesec/poc/springauthbypass/Cve202231692PocApplicationTests.java
@@ -0,0 +1,13 @@
+package com.spindlesec.poc.springauthbypass;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.boot.test.context.SpringBootTest;
+
+@SpringBootTest
+class Cve202231692PocApplicationTests {
+
+	@Test
+	void contextLoads() {
+	}
+
+}
diff --git a/cve/java-spring/2022/yaml/CVE-2022-31692.yaml b/cve/java-spring/2022/yaml/CVE-2022-31692.yaml
new file mode 100644
index 00000000..d6ed1a5e
--- /dev/null
+++ b/cve/java-spring/2022/yaml/CVE-2022-31692.yaml
@@ -0,0 +1,24 @@
+id: CVE-2022-31692
+source: https://github.com/SpindleSec/cve-2022-31692
+info:
+  name: Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean，充分利用了Spring IoC，DI（控制反转Inversion of Control ,DI:Dependency Injection 依赖注入）和AOP（面向切面编程）功能，为应用系统提供声明式的安全访问控制功能，减少了为企业系统安全控制编写大量重复代码的工作。
+  severity: critical
+  description: CVE-2022-31692 中，在Spring Security受影响版本范围内，在使用forward/include进行转发的情况下可能导致权限绕过。
+  scope-of-influence: 5.7.0 <= Spring Security <= 5.7.4, 5.6.0 <= Spring Security <= 5.6.8
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-31692
+    - https://github.com/ARPSyndicate/cvemon
+    - https://github.com/SpindleSec/cve-2022-31692
+    - https://github.com/Whoopsunix/PPPVULNS
+    - https://github.com/aneasystone/github-trending
+    - https://github.com/manas3c/CVE-POC
+    - https://github.com/nomi-sec/PoC-in-GitHub
+    - https://github.com/oskardudycz/ArchitectureWeekly
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-31692
+    cwe-id: CWE-863
+    cnvd-id: None
+    kve-id: None
+  tags: CVE2022, spring-framework, 认证绕过
\ No newline at end of file
diff --git a/openkylin_list.yaml b/openkylin_list.yaml
index 40c60680..525f67ac 100644
--- a/openkylin_list.yaml
+++ b/openkylin_list.yaml
@@ -128,6 +128,7 @@ cve:
     - CVE-2020-5398
     - CVE-2022-22965
     - CVE-2022-22963
+    - CVE-2022-31692
   Zimbra:
     - CVE-2022-27925
 cnvd: