From d0508e00247bcfb755f6b2c754e9ed830a9d7b41 Mon Sep 17 00:00:00 2001 From: dfface Date: Wed, 15 Mar 2023 20:46:46 +0800 Subject: [PATCH 1/4] feat: add CVE-2022-22965 --- .../2022/CVE-2022-22965/CVE-2022-22965.nse | 149 ++++++++++++++++++ cve/java-spring/2022/CVE-2022-22965/README.md | 101 ++++++++++++ cve/java-spring/2022/yaml/CVE-2022-22965.yaml | 19 +++ 3 files changed, 269 insertions(+) create mode 100644 cve/java-spring/2022/CVE-2022-22965/CVE-2022-22965.nse create mode 100644 cve/java-spring/2022/CVE-2022-22965/README.md create mode 100644 cve/java-spring/2022/yaml/CVE-2022-22965.yaml diff --git a/cve/java-spring/2022/CVE-2022-22965/CVE-2022-22965.nse b/cve/java-spring/2022/CVE-2022-22965/CVE-2022-22965.nse new file mode 100644 index 00000000..98f8b9db --- /dev/null +++ b/cve/java-spring/2022/CVE-2022-22965/CVE-2022-22965.nse @@ -0,0 +1,149 @@ +description = [[ +Spring Framework 5.2.x / 5.3.x CVE-2022-22965 Remote Code Execution Vulnerability + +This script looks the existence of CVE-2022-22965 Spring Framework 5.2.x / 5.3.x RCE +uses a payload "/?class.module.classLoader.definedPackages%5B0%5D=0" through a GET request +looking (400) code as response (NON INTRUSIVE) + +Inspired by: + +@Twitter thread +https://twitter.com/RandoriAttack/status/1509298490106593283 + +@ZAP Scan Rule +https://www.zaproxy.org/blog/2022-04-04-spring4shell-detection-with-zap/ + +Manual inspection: + +# curl -i -s -k -X $'GET' +-H $'Host: ' +-H $'User-Agent: alex666' +-H $'Connection: close' +$'https:///path/foo/?class.module.classLoader.URLs%5B0%5D=0' | grep -i 400 + +# curl -i -s -k -X $'GET' +-H $'Host: ' +-H $'User-Agent: alex666' +-H $'Connection: close' +$'https:///path/foo/?class.module.classLoader.definedPackages%5B0%5D=0' | grep -i 400 + +References: +https://github.com/alt3kx/CVE-2022-22965 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965 +https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities +https://github.com/BobTheShoplifter/Spring4Shell-POC +https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement +https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework +]] + +--- +-- @usage +-- nmap -p --script=./CVE-2022-22965.nse [--script-args 'CVE-2022-22965.path=,CVE-2022-22965.method='] +-- @args CVE-2022-22965.path URI path to test; must be a valid path that accepts one or more parameters using data binding (default: /). +-- @args CVE-2022-22965.method HTTP request method to use (default: GET). +-- +-- @examples: +-- nmap -p443,8080 --script=./CVE-2022-22965.nse -Pn +-- nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args 'CVE-2022-22965.path="/path/to/test"' -Pn +-- nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args 'CVE-2022-22965.path="/path/to/test",CVE-2022-22965.method=POST' -Pn +-- nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args=CVE-2022-22965.path="/path/foo/download/" -Pn --script-trace | more +-- nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args=CVE-2022-22965.path="/examples/" -Pn -iL targets.txt +-- +-- @output +-- PORT STATE SERVICE +-- 443/tcp open https +-- | CVE-2022-22965: +-- | VULNERABLE: +-- | Spring Framework 5.2.x 5.3.x RCE +-- | State: VULNERABLE (Exploitable) +-- | IDs: CVE:CVE-2022-22965 +-- | Within Spring Core, A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable +-- | to remote code execution (RCE) via data binding. +-- | Disclosure date: 2022-03-31 +-- | References: +-- |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965 + + +author = "Alex Hernandez aka alt3kx " +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"vuln", "exploit"} + +local shortport = require "shortport" +local http = require "http" +local stdnse = require "stdnse" +local string = require "string" +local vulns = require "vulns" + +portrule = shortport.http + +local S4S1 = "Tomcat" +local S4S2 = "springframework" +local S4S3 = "Tomcat" +local S4S4 = "Tomcat" + +--Payloads: +--GET checker path2 = "/?class.module.classLoader.DefaultAssertionStatus=nosense" +--GET checker path1 = "/?class.module.classLoader.URLs%5B0%5D=0" +local S4S_PAYLOAD = "class.module.classLoader.definedPackages%5B0%5D=0" + +action = function(host, port) + + local vuln = { + title = "Spring Framework 5.2.x 5.3.x RCE", + state = vulns.STATE.NOT_VULN, + IDS = { CVE = 'CVE-2022-22965' }, + description = [[ +Within Spring Core, A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable +to remote code execution (RCE) via data binding.]], + + references = { + 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965' + }, + dates = { + disclosure = {year = '2022', month = '03', day = '31'}, + }, + + } + + local report = vulns.Report:new(SCRIPT_NAME, host, port) + + local method = string.upper(stdnse.get_script_args("CVE-2022-22965.method") or "GET") + local path = stdnse.get_script_args("CVE-2022-22965.path") or "/" + local options = {header={["Content-Type"]="application/x-www-form-urlencoded"}} + if method == "GET" then + path = path .. "?" .. S4S_PAYLOAD + else + options["content"] = S4S_PAYLOAD + end + local response = http.generic_request(host, port, method, path, options) + + if response.status and response.body then + + if response.status == 400 and string.find(response.body, S4S1) ~= nil then + stdnse.debug2("Apache Tomcat Spring Framework 5.2.x / 5.3.x returned 400") + vuln.state = vulns.STATE.EXPLOIT + end + --500 Internal Server Error , Spring Framework 5.2.x / 5.3.x Exceptions + if response.status == 500 and string.find(response.body, S4S2) ~= nil then + stdnse.debug2("Apache Tomcat Spring Framework 5.2.x / 5.3.x returned 500") + vuln.state = vulns.STATE.EXPLOIT + end + + if response.status == 200 and string.find(response.body, S4S3) ~= nil then + + stdnse.debug2("Apache Tomcat Spring Framework 5.2.x / 5.3.x returned 200") + vuln.state = vulns.STATE.NOT_VULN + end + + if response.status == 404 and string.find(response.body, S4S4) ~= nil then + + stdnse.debug2("Apache Tomcat Spring Framework 5.2.x / 5.3.x returned 404") + vuln.state = vulns.STATE.NOT_VULN + end + + else + stdnse.debug2("Apache Tomcat Spring Framework 5.2.x / 5.3.x returned unknow response.") + vuln.state = vulns.STATE.UNKNOWN + end + return report:make_output (vuln) +end diff --git a/cve/java-spring/2022/CVE-2022-22965/README.md b/cve/java-spring/2022/CVE-2022-22965/README.md new file mode 100644 index 00000000..a16d24fe --- /dev/null +++ b/cve/java-spring/2022/CVE-2022-22965/README.md @@ -0,0 +1,101 @@ +# CVE-2022-22965 + +Spring Framework RCE (CVE-2022-22965) Nmap (NSE) Checker (Non-Intrusive) + +This script looks the existence of CVE-2022-22965 Spring Framework 5.2.x / 5.3.x RCE +uses a payload "/?class.module.classLoader.definedPackages%5B0%5D=0" through a GET request +looking (400) code as response (NON INTRUSIVE) + +Inspired by: + +@Twitter thread
+ + +@ZAP Scan Rule
+ + +Manual inspection: + +```python +# curl -i -s -k -X $'GET' +-H $'Host: ' +-H $'User-Agent: alex666' +-H $'Connection: close' +$'https:///path/foo/?class.module.classLoader.URLs%5B0%5D=0' | grep -i 400 +``` + +```python +# curl -i -s -k -X $'GET' +-H $'Host: ' +-H $'User-Agent: alex666' +-H $'Connection: close' +$'https:///path/foo/?class.module.classLoader.DefaultAssertionStatus=nosense' | grep -i 400 +``` + + @milo-minderbinder | fix and improvements + +```python +# curl -i -s -k -X $'GET' +-H $'Host: ' +-H $'User-Agent: alex666' +-H $'Connection: close' +$'https:///path/foo/?class.module.classLoader.definedPackages%5B0%5D=0' | grep -i 400 +``` + +# References +> +> +> +> +> +> + +# Usage + +```python +-- $ nmap -p --script=./CVE-2022-22965.nse [--script-args 'CVE-2022-22965.path=,CVE-2022-22965.method='] +-- @args CVE-2022-22965.path URI path to test; must be a valid path that accepts one or more parameters using data binding (default: /). +-- @args CVE-2022-22965.method HTTP request method to use (default: GET). +-- +-- @examples: +-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse -Pn +-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args 'CVE-2022-22965.path="/path/to/test"' -Pn +-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args 'CVE-2022-22965.path="/path/to/test",CVE-2022-22965.method=POST' -Pn +-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args=CVE-2022-22965.path="/path/foo/download/" -Pn --script-trace | more +-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args=CVE-2022-22965.path="/examples/" -Pn -iL targets.txt +-- +``` + +# Output + +```python +-- PORT STATE SERVICE +-- 443/tcp open https +-- | CVE-2022-22965: +-- | VULNERABLE: +-- | Spring Framework 5.2.x 5.3.x RCE +-- | State: VULNERABLE (Exploitable) +-- | IDs: CVE:CVE-2022-22965 +-- | Within Spring Core, A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable +-- | to remote code execution (RCE) via data binding. +-- | Disclosure date: 2022-03-31 +-- | References: +-- |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965 + +``` + +## Payload 1: Spring Framework RCE found + + + +## Payload 2: Spring Framework RCE found + + + +## Payload 3: Spring Framework RCE found + + + +# Author + +Alex Hernandez aka (@\_alt3kx\_) diff --git a/cve/java-spring/2022/yaml/CVE-2022-22965.yaml b/cve/java-spring/2022/yaml/CVE-2022-22965.yaml new file mode 100644 index 00000000..89919252 --- /dev/null +++ b/cve/java-spring/2022/yaml/CVE-2022-22965.yaml @@ -0,0 +1,19 @@ +id: CVE-2022-22965 +source: https://github.com/alt3kx/CVE-2022-22965 +info: + name: Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 + severity: high + description: 2022年3月31日,Spring官方发布安全公告,披露CVE-2022-22965 Spring Framework 远程代码执行漏洞。由于Spring框架存在处理流程缺陷,攻击者可在远程条件下,实现对目标主机的后门文件写入和配置修改,继而通过后门文件访问获得目标主机权限。使用Spring框架或衍生框架构建网站等应用,且同时使用JDK版本在9及以上版本的,易受此漏洞攻击影响。 + scope-of-influence: Spring Framework <5.2.20 JDK >9 + reference: + - https://help.aliyun.com/noticelist/articleid/1061022382.html + - https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement + - https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-22965 + cwe-id: CWE-94 + cnvd-id: None + kve-id: None + tags: cve2022, spring-framework, 代码注入 -- Gitee From 216fa385cd0edb583f46bda6e296d487d1bc37ea Mon Sep 17 00:00:00 2001 From: dfface Date: Wed, 15 Mar 2023 20:52:51 +0800 Subject: [PATCH 2/4] fix: >= 9 --- cve/java-spring/2022/yaml/CVE-2022-22965.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/java-spring/2022/yaml/CVE-2022-22965.yaml b/cve/java-spring/2022/yaml/CVE-2022-22965.yaml index 89919252..403867d5 100644 --- a/cve/java-spring/2022/yaml/CVE-2022-22965.yaml +++ b/cve/java-spring/2022/yaml/CVE-2022-22965.yaml @@ -4,7 +4,7 @@ info: name: Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 severity: high description: 2022年3月31日,Spring官方发布安全公告,披露CVE-2022-22965 Spring Framework 远程代码执行漏洞。由于Spring框架存在处理流程缺陷,攻击者可在远程条件下,实现对目标主机的后门文件写入和配置修改,继而通过后门文件访问获得目标主机权限。使用Spring框架或衍生框架构建网站等应用,且同时使用JDK版本在9及以上版本的,易受此漏洞攻击影响。 - scope-of-influence: Spring Framework <5.2.20 JDK >9 + scope-of-influence: Spring Framework <5.2.20 JDK >=9 reference: - https://help.aliyun.com/noticelist/articleid/1061022382.html - https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement -- Gitee From 1c41ef3c57d0680114a5eabf138b37265095ecd9 Mon Sep 17 00:00:00 2001 From: dfface Date: Wed, 15 Mar 2023 20:54:07 +0800 Subject: [PATCH 3/4] fix: and --- cve/java-spring/2022/yaml/CVE-2022-22965.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cve/java-spring/2022/yaml/CVE-2022-22965.yaml b/cve/java-spring/2022/yaml/CVE-2022-22965.yaml index 403867d5..8d8f2669 100644 --- a/cve/java-spring/2022/yaml/CVE-2022-22965.yaml +++ b/cve/java-spring/2022/yaml/CVE-2022-22965.yaml @@ -4,7 +4,7 @@ info: name: Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 severity: high description: 2022年3月31日,Spring官方发布安全公告,披露CVE-2022-22965 Spring Framework 远程代码执行漏洞。由于Spring框架存在处理流程缺陷,攻击者可在远程条件下,实现对目标主机的后门文件写入和配置修改,继而通过后门文件访问获得目标主机权限。使用Spring框架或衍生框架构建网站等应用,且同时使用JDK版本在9及以上版本的,易受此漏洞攻击影响。 - scope-of-influence: Spring Framework <5.2.20 JDK >=9 + scope-of-influence: Spring Framework <5.2.20 and JDK >=9 reference: - https://help.aliyun.com/noticelist/articleid/1061022382.html - https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement -- Gitee From b329b513e631c231e1a2e029afd6fc919535cfb5 Mon Sep 17 00:00:00 2001 From: dfface Date: Thu, 16 Mar 2023 12:49:59 +0800 Subject: [PATCH 4/4] fix: severity --- cve/java-spring/2022/yaml/CVE-2022-22965.yaml | 2 +- openkylin_list.yaml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/cve/java-spring/2022/yaml/CVE-2022-22965.yaml b/cve/java-spring/2022/yaml/CVE-2022-22965.yaml index 8d8f2669..e237d738 100644 --- a/cve/java-spring/2022/yaml/CVE-2022-22965.yaml +++ b/cve/java-spring/2022/yaml/CVE-2022-22965.yaml @@ -2,7 +2,7 @@ id: CVE-2022-22965 source: https://github.com/alt3kx/CVE-2022-22965 info: name: Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。 - severity: high + severity: critical description: 2022年3月31日,Spring官方发布安全公告,披露CVE-2022-22965 Spring Framework 远程代码执行漏洞。由于Spring框架存在处理流程缺陷,攻击者可在远程条件下,实现对目标主机的后门文件写入和配置修改,继而通过后门文件访问获得目标主机权限。使用Spring框架或衍生框架构建网站等应用,且同时使用JDK版本在9及以上版本的,易受此漏洞攻击影响。 scope-of-influence: Spring Framework <5.2.20 and JDK >=9 reference: diff --git a/openkylin_list.yaml b/openkylin_list.yaml index d83e8b4f..7b382c3a 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -97,6 +97,7 @@ cve: - CVE-2022-31144 java-spring: - CVE-2020-5398 + - CVE-2022-22965 cnvd: apache-tomcat: - CNVD-2020-10487 -- Gitee