The bypassing of Spring Boot-based Akamai web app firewalls (WAF) by a hacker could result in remote code execution (RCE).
The WAF from Akamai uses adaptive technologies to prevent known online security risks and was modified a few months ago in order to reduce the danger of Distributed Denial-of-Service (DDoS) attacks.
According to security researcher Peter M, the exploit employed Spring Expression Language (SpEL) injection, better known by the alias 'pmnh'. Usman Mansha and the analyst Peter H. claimed that Akamai has subsequently corrected the vulnerability, which was not given a CVE number.
"This was the second RCE via SSTI we identified on this program, after the first one, the program added a WAF which we were able to overcome in a different portion of the application," GitHub explanation of the Akamai WAF RCE read.
Access Point for WAF
The most straightforward approach to access the java.lang. Runtime class was through the SpEL reference $T(java.lang.Runtime), however, Akamai's software prevented this.
Discovering a connection to a random class was the next step. Peter M., a technical writer, said that this would enable reflection-based or direct method invocation to access the desired method.
Peter M. and Mansha constructed an arbitrary String using the java.lang and used a reflection mechanism to gain access to Class.forName.Accessible runtime value through Java.lang.
A second string was made to access the Runtime.getRuntime function and java.lang.Runtime, allowing for the creation of an effective RCE payload. The server recognized the final payload as a GET request because it was less than 3kb in size.
The WAF was a difficult obstacle to get over, though. Finding an access point required more than 14 hours and 500 roughly designed tries, according to Peter M. In order to stop blatant copycats, the researcher chose not to provide the final payload in text format.
