Cyble-SpringShell-Vulnerability-Analysis

SpringShell Remote Code Execution Vulnerability

A closer look at CVE-2022-22965

Introduction

The Spring Framework is a platform that provides a comprehensive architecture for Model-View-Controller-based (MVC) applications designed to decrease manual configuration and improve memory management. Implementing some design patterns uniformly makes the code more reusable and easy to maintain. This is the driving factor behind using the Spring framework to develop Enterprise-level spring boot and spring cloud applications.

The recent vulnerability CVE-2022-22965 points out that Data Binding might expose a Spring MVC or Spring WebFlux application running on Java Development Kit 9+ (JDK) vulnerable to Remote Code Execution (RCE). The exploit requires the program to execute as a Web Application Resource (WAR) deployment on Tomcat.

The program is not vulnerable to the exploit if it is deployed using the default Spring Boot executable jar. However, the vulnerability can be exploited through various approaches by a TA who is familiar with it.

The SpringShell or CVE-2022-22965 vulnerability circumvents the fix for a previous vulnerability CVE-2010-1622, allowing it to be exploited once more.

The patch for CVE-2010-1622 can be bypassed because Java Development Kit (JDK) versions 9 and above have two sandbox restriction methods, which enable exploitation.

If the below conditions are satisfied, a remote attacker can access an AccessLogValve object. This is done via the parameters of the framework’s binding feature using malicious field values to trigger pipeline mechanisms and write to files in arbitrary locations.

Prerequisites for exploitation of the vulnerability require the victim system to be running:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions

Technical Analysis

When specific objects or classes are accessible under certain conditions, a vulnerability is created. Request parameters are frequently bound to a Plain Old Java Object (POJO) that is not annotated with RequestBody. This aids in the extraction of parameters from HTTP requests.

The RequestBody annotation is used to indicate whether a method parameter should be bound to the body of the HTTP request. 

An attacker can trigger the flaw by using the Spring framework’s getCachedIntrospectionResults function, incorrectly exposing the class object while binding the parameters shown in the original proof of concept script. Refer Figure 1.

Figure 1 – Screenshot from the original POC code post

By including the class variable in the requests, malicious actors can gain direct access to an object. As a result, by just following the property chains, they can access a surplus of additional valuable objects on the system.

The attacker can make changes to AccessValveLog by creating a .jsp file in the service’s root directory.

The properties mentioned below can be modified by an attacker, as shown in Figures 2 & 3:

Directory: The location of the access log relative to Tomcat’s root directory. This can be altered to point to a location accessible via HTTP requests – such as the directory of the web application.

Prefix: The name of the access log file’s prefix.

Suffix: The suffix of the name of the access log file. The log file’s name is a combination of the prefix and the suffix.

Pattern: A string that describes the structure of a log record. This can be adjusted so that each entry has a JSP web shell.

FileDateFormat: Setting this causes the new access log settings to take effect.

Figure 2 – Original Proof Of Concept code post

Figure 3 – Screenshot from the original POC code post

The .jsp file now contains a payload with a password-protected web shell in the format shown in Figure 4, allowing the attacker to execute further commands.

Figure 4 – Screenshot from the original POC code post

Cyble Research Lab’s Global Sensor Intelligence network indicated malicious activity linked to the SpringShell vulnerability (CVE-2022-22965). The heat map below depicts the geographic distribution of the scanner IP addresses that we have observed thus far. Our analysis indicates that the United States is being heavily targeted, followed by the Netherlands and Germany by TAs leveraging this vulnerability.

Figure 5 – Heat map of SpringShell

SpringShell is used to inject a JSP web shell into the web root of the web server via a specially designed request, allowing threat actors to remotely execute commands on the server.

It was observed that threat actors leverage their remote access to download and execute Mirai to the “/tmp” folder, as shown in Figure 6.

Figure – 6 Request and Commands used for Mirai (Trend Micro)

The Threat Actors behind SpringShell download numerous Mirai samples for different CPU architectures and run them using the wget.sh script, as shown in Figure 6.

Figure – 7 wget.sh script retrieved from a malicious server (Trend Micro)

Conclusion

Until this month, various Mirai botnets were among the few persistent exploiters of the Log4Shell (CVE-2021-44228) vulnerability, utilizing the bug in the widely used Log4j software to recruit affected devices into its DDoS botnet. It is probable that botnet operators are currently experimenting with other vulnerabilities that could have a significant impact, such as SpringShell, to gain access to new device pools.

These assaults could potentially expose the victim to ransomware attacks and data breaches. Thus, Mirai resource hijacking for denial of service or crypto-mining appears relatively innocuous in comparison.

Recommendations

  • Upgrade to the latest Spring framework version.
  • Upgrade Apache Tomcat to the latest released versions 10.0.20, 9.0.62, and 8.5.78, which rectify the attack vector on Tomcat’s side.
  • Upgrade to spring framework 5.3.18 and 5.2.20, which contain the fixes, have been released.
  • Downgrade to Java 8 as a viable workaround if upgrading the Spring Framework or Apache Tomcat is not viable.
  • Keep operating systems and application software up to date.
  • Use a strong password policy.
  • Cyber security awareness training programs are a must for employees of the organization.

Indicators of Compromise (IOCs)  

IndicatorsIndicator TypeDescription
95f02f3121d1626bd7058bc074dd6b25,
ba4393846787f1be224b088798d25d523567a94a, 136c2a3d4202b27259d5c99f43247ba12c09157026a812d1899e82c103d41ef9
{MD5,
SHA-1,
SHA -256}
SpringShell Exploit
9de8ec169cbc5d0bc8449f6ca77365b4,
d9c25d2dfd9cdfde6dbf005cb80b8c19d9dfe69b, 9389c61bd1069674215678a72f02b0951f3e74d9e4d2c9ce58d58f3a15d91ae4
{MD5,
SHA-1,
SHA -256}
SpringShell Exploit
5749c03892ff18818b1d1badb35106e2,
1b64cb331a37bd2c858f042ebc3617f4c15f08b0,  f23259498b67d7a70904d25453b2deeb23719fca0fadf925f69feacae758a44e
{MD5,
SHA-1,
SHA -256}
SpringShell Exploit
aaeb9678b275c6639d7b2598ce8e708c,
f8ff2ec0f839970aadd41f78d993699380bbef38, b95017be689384eec9f3800f712ce2b6003893afeac507c7da70330fe75dd216
{MD5,
SHA-1,
SHA -256}
SpringShell Exploit
3de4e174c2c8612aebb3adef10027679,
c2f04ab5e0f744c06ce401342e123844d96ff2a0, 4f19caf78b58d7ec120f91165c9e21fdc9a7e75c01b1b7af234c31b871781c41
{MD5,
SHA-1,
SHA -256}
SpringShell Exploit
8ce2bfbd31b41f9d618c0b817773bba3,
247f484f62342fbdb324799d500f060000b73197, 2dd7d5d9ff525732d7730e205c4e85005ff79395e1ecbc69071fd82d4426b37f
{MD5,  SHA-1,
SHA -256}
SpringShell Exploit
c5d26243dc953e105fa488290c8eca38,
d0af2d07398aa504d83c2507249b99835a240c9f, 35cf4e1eb657b53d77b331faee7d6e48f73acd136eed9ccfda60abc1033c6166
{MD5,
SHA-1,
SHA -256}
SpringShell Exploit
56fea329f85c6f974c63b31e162279f8,
d50a107458a043e117ad72fa32cf7454c0150eae, e3d86c64a3c5b83cb8252fc9c68aaf95857a9421ddb5c0f49d7d126242e70b02
{MD5,
SHA-1,
SHA -256}
SpringShell Exploit
141.164.43.95       109.201.133.100     87.120.37.231       23.128.248.12       23.128.248.24       5.2.69.50           37.187.18.212       128.31.0.13         213.61.215.54       109.70.100.19       IP addresses 

Generic signatures and Rules

Yara Rules:

Figure – 8 Yara rules for SpringShell

References

  1. SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965 – Microsoft Security Blog
  2. CVE-2022-22965 Analyzing the Exploitation of Spring4Shell Vulnerability in Weaponizing and Executing the Mirai Botnet Malware (trendmicro.com)
Scroll to Top