CVE-2022-22965 (Spring4Shell, SpringShell) is a vulnerability in the Spring Framework that uses data binding functionality to bind data stored within an HTTP request to certain objects used by an application. The bug exists in the getCachedIntrospectionResults method, which can be used to gain unauthorized access to such objects by passing their class names via an HTTP request. It creates the risks of data leakage and remote code execution when special object classes are used. This vulnerability is similar to the long-closed CVE-2010-1622, where class name checks were added as a fix so that the name did not match classLoader or protectionDomain.
According to the CVSSv3 system, it scores as CRITICAL severity.
Below are detection opportunities for CVE-2022-22965 that can be used to identify vulnerability.
- Florian Roth created the following Yara rule that will detect possible webshells being implemented and proof-of-concept exploit attempts
- Hilko Bengen created a local CVE-2022-22965 vulnerability scanner written in Go (cross-platform compatible) that searches for Spring artifacts obtained via the Maven Central repository
- The OWASP Dependency Check tool can also be utilized to produce an aggregate report of projects and child projects doing the following command (additional properties for OWASP Dependency Check):
Current conditions for vulnerability (as stated in Spring's announcement of the vulnerability) can be summarised as follows:
- JDK 9+
- A vulnerable version of the Spring Framework (<5.2 | 5.2.0-19 | 5.3.0-17)
- Apache Tomcat as a server for the Spring application, packaged as a WAR
- A dependency on the spring-webmvc and/or spring-webflux components of the Spring Framework
python3 exploit.py http://10.10.10.10/
Note: the trailing slash is very important here!
Look for the "action" of the contact form (the only POST request available to us).
<form id="contactForm" action="/" method="post">
The action is "/", meaning that our target URL will simply be: http://10.10.10.10/