Spring4Shell-POC (CVE-2022-22965)

Spring4Shell (CVE-2022-22965) Proof Of Concept/Information

Early this morning, multiple sources has informed of a possible RCE exploit in the popular java framework spring.

The naming of this flaw is based on the similarities to the infamous Log4j LOG4Shell.

Details

• https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html
• https://bugalert.org/content/notices/2022-03-29-spring.html
• https://websecured.io/blog/624411cf775ad17d72274d16/spring4shell-poc
• https://www.springcloud.io/post/2022-03/spring-0day-vulnerability
• https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

CVE

• CVE-2022-22965

Poc

Found intresting poc here : https://github.com/craig/SpringCore0day/blob/main/exp.py ¹. & https://twitter.com/vxunderground/status/1509170582469943303

https://github.com/reznok/Spring4Shell-POC - Docker, POC

• clone sample repo from https://spring.io/guides/gs/handling-form-submission/
• you can skip right to the gs-handling-form-submission/complete directory, no need to follow the tutorial
• modify it so that you can build a war file (https://www.baeldung.com/spring-boot-war-tomcat-deploy). build war file :)
• install tomcat9 + java 11 (i did it on ubuntu 20.04 via apt-get)
• deploy the war file
• update the PoC (https://share.vx-underground.org/) to write the tomcatwar.jsp file to webapps/handling-form-submission instead of webapps/ROOT
• run PoC (ignore the URL it gives you for the webshell): python3 exp.py --url http://your.ip.here:8080/handling-form-submission-complete/greeting
• you should see the "tomcatwar.jsp" file now in webapps/handling-form-submission
• hit http://your.ip.here:8080/handling-form-submission/tomcatwar.jsp?pwd=j&cmd=id to see the results

Mitigations

!!(The following mitigations are only theoretical as nothing has been confirmed)!!

JDK Version under 9

Cyberkendra informed that JDK versions lower than JDK 9

You can easily check this by running

java -version

That will display something similar to this

openjdk version "17.0.2" 2022-01-18
OpenJDK Runtime Environment (build 17.0.2+8-Ubuntu-120.04)
OpenJDK 64-Bit Server VM (build 17.0.2+8-Ubuntu-120.04, mixed mode, sharing)

If your JDK version is under 8, you might be safe, but nothing is confirmed yet

The following article will be updated

Check if you are using the spring framework

Do a global search after "spring-beans-.jar" and "spring.jar"

find . -name spring-beans*.jar

WIP :=)

Footnotes

1. POC, translated fron this repository. ↩