Spring Boot H2 Database Remote Code Execution Scanner

Spring Boot H2 Database is used in web applications to provide a lightweight, in-memory database instance, primarily for development and testing purposes. It is widely used by developers and software teams for its ease of integration and configuration. This database engine supports relational data-based functionalities and is often employed in environments where fast access to data is crucial. It comes integrated with the Spring Boot framework, enhancing its capability to provide a complete web application framework. The H2 database is particularly favored for its seamless support with Java applications. Despite its lightweight design, it is powerful enough to support modern web workflows and development pipelines.

The Remote Code Execution vulnerability in Spring Boot H2 Database allows an attacker to execute arbitrary code within the application environment. This type of vulnerability is critical as it can potentially compromise the entire system running the application. By exploiting RCE, malicious actors can manipulate the application to perform unauthorized actions. The vulnerability is typically found in configurations that expose unsafe endpoints, which can be leveraged to inject and run malicious commands. Successful exploitation could lead to system control loss, data breaches, and further exploitation. RCE vulnerabilities are a high-priority concern due to the severe impact they can have on infrastructure security.

The vulnerability lies in the `/actuator/env` endpoint, accessible without proper authentication controls. The exploit involves crafting a POST request to this vulnerable endpoint, injecting code that allows the execution of shell commands. The payload modifies the `spring.datasource.hikari.connection-test-query` parameter to create an alias for executing arbitrary shell commands. This allows the attacker to gain system-level access by running commands such as `whoami`. The vulnerability results from improper input validation and lack of strict access controls on configuration endpoints. Ensuring such endpoints are protected is crucial for maintaining system integrity.

Exploiting the RCE vulnerability can have numerous adverse effects, including unauthorized access to sensitive data and credentials. The attacker can gain control over the application, enabling them to run scripts, install malware, or alter configurations. This breach of security may lead to further attacks such as data exfiltration, persistent backdoors, and lateral movement across the network. Production systems could suffer downtime, integrity loss, and reputational damage to the organization. Furthermore, the compromised system could be used as a launchpad for broader cyber attacks.

REFERENCES

• https://spaceraccoon.dev/remote-code-execution-in-three-acts-chaining-exposed-actuators-and-h2-database
• https://twitter.com/pyn3rd/status/1305151887964946432
• https://www.veracode.com/blog/research/exploiting-spring-boot-actuators
• https://github.com/spaceraccoon/spring-boot-actuator-h2-rce