feat: add CVE-2022-22965

2023-03-15 20:46:46 +08:00 · 2023-03-15 20:46:46 +08:00 · 0ce2c14c22
parent c6d8d9e367
commit 0ce2c14c22
3 changed files with 269 additions and 0 deletions
--- a/cve/java-spring/2022/CVE-2022-22965/CVE-2022-22965.nse
+++ b/cve/java-spring/2022/CVE-2022-22965/CVE-2022-22965.nse
@ -0,0 +1,149 @@
+description = [[
+Spring Framework 5.2.x / 5.3.x CVE-2022-22965 Remote Code Execution Vulnerability
+
+This script looks the existence of CVE-2022-22965 Spring Framework 5.2.x / 5.3.x RCE 
+uses a payload "/?class.module.classLoader.definedPackages%5B0%5D=0" through a GET request
+looking (400) code as response (NON INTRUSIVE)
+
+Inspired by:
+
+@Twitter thread
+https://twitter.com/RandoriAttack/status/1509298490106593283
+
+@ZAP Scan Rule  
+https://www.zaproxy.org/blog/2022-04-04-spring4shell-detection-with-zap/
+
+Manual inspection: 
+
+# curl -i -s -k -X $'GET' 
+-H $'Host: <target>' 
+-H $'User-Agent: alex666'  
+-H $'Connection: close' 
+$'https://<target>/path/foo/?class.module.classLoader.URLs%5B0%5D=0' | grep -i 400
+
+# curl -i -s -k -X $'GET' 
+-H $'Host: <target>' 
+-H $'User-Agent: alex666'  
+-H $'Connection: close' 
+$'https://<target>/path/foo/?class.module.classLoader.definedPackages%5B0%5D=0' | grep -i 400
+
+References:
+https://github.com/alt3kx/CVE-2022-22965
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965 
+https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities
+https://github.com/BobTheShoplifter/Spring4Shell-POC
+https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
+https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework
+]]
+
+---
+-- @usage
+-- nmap -p <port> --script=./CVE-2022-22965.nse [--script-args 'CVE-2022-22965.path=<PATH>,CVE-2022-22965.method=<HTTP METHOD>'] <target>
+-- @args CVE-2022-22965.path URI path to test; must be a valid path that accepts one or more parameters using data binding (default: <code>/</code>).
+-- @args CVE-2022-22965.method HTTP request method to use (default: <code>GET</code>).
+-- 
+-- @examples:
+-- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> -Pn
+-- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args 'CVE-2022-22965.path="/path/to/test"' -Pn
+-- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args 'CVE-2022-22965.path="/path/to/test",CVE-2022-22965.method=POST' -Pn
+-- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.path="/path/foo/download/" -Pn --script-trace | more
+-- nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args=CVE-2022-22965.path="/examples/" -Pn -iL targets.txt
+-- 
+-- @output
+-- PORT    STATE SERVICE
+-- 443/tcp open  https
+-- | CVE-2022-22965: 
+-- |   VULNERABLE:
+-- |   Spring Framework 5.2.x 5.3.x RCE
+-- |     State: VULNERABLE (Exploitable)
+-- |     IDs:  CVE:CVE-2022-22965
+-- |       Within Spring Core, A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable 
+-- |       to remote code execution (RCE) via data binding.
+-- |     Disclosure date: 2022-03-31
+-- |     References:
+-- |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
+
+
+author = "Alex Hernandez aka alt3kx <alt3kx@protonmail.com>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"vuln", "exploit"}
+
+local shortport = require "shortport"
+local http = require "http"
+local stdnse = require "stdnse"
+local string = require "string"
+local vulns = require "vulns"
+
+portrule = shortport.http
+
+local S4S1 = "Tomcat"
+local S4S2 = "springframework"
+local S4S3 = "Tomcat"
+local S4S4 = "Tomcat"
+
+--Payloads: 
+--GET checker path2 = "/?class.module.classLoader.DefaultAssertionStatus=nosense"
+--GET checker path1 = "/?class.module.classLoader.URLs%5B0%5D=0"
+local S4S_PAYLOAD = "class.module.classLoader.definedPackages%5B0%5D=0"
+
+action = function(host, port)
+
+    local vuln = {
+        title = "Spring Framework 5.2.x 5.3.x RCE",
+        state = vulns.STATE.NOT_VULN,
+        IDS = { CVE = 'CVE-2022-22965' },
+		description = [[
+Within Spring Core, A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable 
+to remote code execution (RCE) via data binding.]], 
+		
+		references = {
+           'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965'
+       },
+       dates = {
+           disclosure = {year = '2022', month = '03', day = '31'},
+       },
+
+    }   
+    
+    local report = vulns.Report:new(SCRIPT_NAME, host, port)
+
+    local method = string.upper(stdnse.get_script_args("CVE-2022-22965.method") or "GET")
+    local path = stdnse.get_script_args("CVE-2022-22965.path") or "/"
+    local options = {header={["Content-Type"]="application/x-www-form-urlencoded"}}
+    if method == "GET" then
+        path = path .. "?" .. S4S_PAYLOAD
+    else
+        options["content"] = S4S_PAYLOAD
+    end
+    local response = http.generic_request(host, port, method, path, options)
+
+    if response.status and response.body then 
+
+      if response.status == 400 and string.find(response.body, S4S1) ~= nil then  
+          stdnse.debug2("Apache Tomcat Spring Framework 5.2.x / 5.3.x returned 400")
+          vuln.state = vulns.STATE.EXPLOIT
+        end 
+        --500 Internal Server Error , Spring Framework 5.2.x / 5.3.x Exceptions 
+        if response.status == 500 and string.find(response.body, S4S2) ~= nil then  
+            stdnse.debug2("Apache Tomcat Spring Framework 5.2.x / 5.3.x returned 500")
+            vuln.state = vulns.STATE.EXPLOIT
+          end 
+        
+        if response.status == 200 and string.find(response.body, S4S3) ~= nil then  
+        
+            stdnse.debug2("Apache Tomcat Spring Framework 5.2.x / 5.3.x returned 200")
+            vuln.state = vulns.STATE.NOT_VULN
+        end
+
+        if response.status == 404 and string.find(response.body, S4S4) ~= nil then  
+        
+            stdnse.debug2("Apache Tomcat Spring Framework 5.2.x / 5.3.x returned 404")
+            vuln.state = vulns.STATE.NOT_VULN
+        end
+
+        else 
+          stdnse.debug2("Apache Tomcat Spring Framework 5.2.x / 5.3.x returned unknow response.")
+          vuln.state = vulns.STATE.UNKNOWN
+    end
+    return report:make_output (vuln)
+end
--- a/cve/java-spring/2022/CVE-2022-22965/README.md
+++ b/cve/java-spring/2022/CVE-2022-22965/README.md
@ -0,0 +1,101 @@
+# CVE-2022-22965
+
+Spring Framework RCE (CVE-2022-22965) Nmap (NSE) Checker (Non-Intrusive)
+
+This script looks the existence of CVE-2022-22965 Spring Framework 5.2.x / 5.3.x RCE
+uses a payload "/?class.module.classLoader.definedPackages%5B0%5D=0" through a GET request
+looking (400) code as response (NON INTRUSIVE)
+
+Inspired by:
+
+@Twitter thread</br>
+<https://twitter.com/RandoriAttack/status/1509298490106593283>
+
+@ZAP Scan Rule</br>
+<https://www.zaproxy.org/blog/2022-04-04-spring4shell-detection-with-zap/>
+
+Manual inspection:
+
+```python
+# curl -i -s -k -X $'GET' 
+-H $'Host: <target>' 
+-H $'User-Agent: alex666'  
+-H $'Connection: close' 
+$'https://<target>/path/foo/?class.module.classLoader.URLs%5B0%5D=0' | grep -i 400
+```
+
+```python
+# curl -i -s -k -X $'GET' 
+-H $'Host: <target>' 
+-H $'User-Agent: alex666'  
+-H $'Connection: close' 
+$'https://<target>/path/foo/?class.module.classLoader.DefaultAssertionStatus=nosense' | grep -i 400
+```
+
+<em><a href="https://github.com/milo-minderbinder"> @milo-minderbinder</a></em> | fix and improvements
+
+```python
+# curl -i -s -k -X $'GET' 
+-H $'Host: <target>' 
+-H $'User-Agent: alex666'  
+-H $'Connection: close' 
+$'https://<target>/path/foo/?class.module.classLoader.definedPackages%5B0%5D=0' | grep -i 400
+```
+
+# References
+<https://github.com/alt3kx/CVE-2022-22965</br>>
+<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965</br>>
+<https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities</br>>
+<https://github.com/BobTheShoplifter/Spring4Shell-POC</br>>
+<https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement</br>>
+<https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework</br>>
+
+# Usage
+
+```python
+-- $ nmap -p <port> --script=./CVE-2022-22965.nse [--script-args 'CVE-2022-22965.path=<PATH>,CVE-2022-22965.method=<HTTP METHOD>'] <target>
+-- @args CVE-2022-22965.path URI path to test; must be a valid path that accepts one or more parameters using data binding (default: <code>/</code>).
+-- @args CVE-2022-22965.method HTTP request method to use (default: <code>GET</code>).
+-- 
+-- @examples:
+-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse <target> -Pn
+-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args 'CVE-2022-22965.path="/path/to/test"' -Pn
+-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args 'CVE-2022-22965.path="/path/to/test",CVE-2022-22965.method=POST' -Pn
+-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.path="/path/foo/download/" -Pn --script-trace | more
+-- $ nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args=CVE-2022-22965.path="/examples/" -Pn -iL targets.txt
+-- 
+```
+
+# Output
+
+```python
+-- PORT    STATE SERVICE
+-- 443/tcp open  https
+-- | CVE-2022-22965: 
+-- |   VULNERABLE:
+-- |   Spring Framework 5.2.x 5.3.x RCE
+-- |     State: VULNERABLE (Exploitable)
+-- |     IDs:  CVE:CVE-2022-22965
+-- |       Within Spring Core, A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable 
+-- |       to remote code execution (RCE) via data binding.
+-- |     Disclosure date: 2022-03-31
+-- |     References:
+-- |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
+
+```
+
+## Payload 1: Spring Framework RCE found
+
+<img src="https://user-images.githubusercontent.com/3140111/162096857-8b29e020-4f8e-448d-8694-7cd7b2e0cfcf.png" width="800">
+
+## Payload 2: Spring Framework RCE found
+
+<img src="https://user-images.githubusercontent.com/3140111/162097169-2ad3efac-935a-4caa-8ea4-5068d2ae1c15.png" width="800">
+
+## Payload 3: Spring Framework RCE found
+
+<img src="https://user-images.githubusercontent.com/3140111/162332755-6f1992a6-27d4-4e71-bbad-52815d046759.png" width="800">
+
+# Author
+
+Alex Hernandez aka <em><a href="https://twitter.com/_alt3kx_" rel="nofollow">(@\_alt3kx\_)</a></em>
--- a/cve/java-spring/2022/yaml/CVE-2022-22965.yaml
+++ b/cve/java-spring/2022/yaml/CVE-2022-22965.yaml
@ -0,0 +1,19 @@
+id: CVE-2022-22965
+source: https://github.com/alt3kx/CVE-2022-22965
+info:
+  name: Spring Framework是美国Spring团队的一套开源的Java、JavaEE应用程序框架。该框架可帮助开发人员构建高质量的应用。
+  severity: high
+  description: 2022年3月31日，Spring官方发布安全公告，披露CVE-2022-22965 Spring Framework 远程代码执行漏洞。由于Spring框架存在处理流程缺陷，攻击者可在远程条件下，实现对目标主机的后门文件写入和配置修改，继而通过后门文件访问获得目标主机权限。使用Spring框架或衍生框架构建网站等应用，且同时使用JDK版本在9及以上版本的，易受此漏洞攻击影响。
+  scope-of-influence: Spring Framework <5.2.20 JDK >9
+  reference:
+    - https://help.aliyun.com/noticelist/articleid/1061022382.html
+    - https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
+    - https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework/
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2022-22965
+    cwe-id: CWE-94
+    cnvd-id: None
+    kve-id: None
+  tags: cve2022, spring-framework, 代码注入