Spring4Shell PoC in NCL Testbed

In the current Java based web application ecosystem, a framework called Spring is dominantly in use (in more than 60% of applications). On March 30th, 2022, two critical vulnerabilities, CVE-2022-22963 and CVE-2022-22965, were reported, which pose a major threat to applications developed with the Spring framework. The first vulnerability affected the “spring-cloud-function-context" library (org.springframework.cloud). The latter, CVE-2022-22965, widely known as Spring4Shell, affected “spring-beans” (org.springframework.cloud). In this report we focus on Spring4Shell vulnerability, which can allow Remote Code Execution (RCE) on the server that is running the web application, by unauthorized and malicious actors.

The library org.springframework.cloud: spring-beans, is a typical transitive dependency of a popular framework used widely in Java applications and requires Java Development Kit version 9 (JDK9) or newer to be running. It is a bypass for an older CVE, CVE-2010-1622 that due to a feature in JDK9 or newer seems to have been reinstated (confirmed by the Praetorian). Since the time of writing, Spring has also confirmed that the currently known forms of an attack that exploits Spring4Shell, require JDK9 or above as well as Tomcat 9.0. Applications developed with these dependencies must be packaged as a WAR, and the vulnerable class to be present for the exploits to compromise the web application server. This type of vulnerability relies on the software deserializing code, which is at the root of the problem.

This vulnerability was identified early Wednesday (March 30th 2022) morning (GMT) when some speculations began to surface on the Internet (QQ Chat Service) about a new remote code execution flaw that affects Spring Framework. This vulnerability, dubbed by some as "Springshell or Spring4Shell" in the community, is a new, previously unknown (zero-day) security vulnerability. It has been added to the CVE list as CVE-2022-22965 with a Severity Score (CVSS) of 9.8.

Spring has acknowledged the vulnerability and released 5.3.18 and 5.2.20 to patch the issue as well as version 2.6.6 for spring-boot. We recommend an immediate upgrade for all users.

Some of the technical resources have confirmed that this serious vulnerability affects the spring-beans and spring artifacts under the following conditions:

·   JDK 9 or higher

·   Apache Tomcat as the Servlet container

·   Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)

·   spring-webmvc or spring-webflux dependency

·   Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions

Several POCs have been devised to verify these vulnerabilities in blogs or repositories like (e.g., check GitHub repositories https://github.com/search?q=Spring4Shell) and they were set up in local environments. However, it may not be easy for some professionals and researchers to replicate the vulnerability to study their effects. Even when the vulnerability and the exploit are replicated on local environments, it may not be possible to share those environments with multiple parties (teams of investigation) and to transfer the experience on how this vulnerability operates.

NCL created environments that are widely available for the users based on the early POC code from Lunasec-io/Spring4Shell-POC. This environment is easily accessible by using a unique NCL client software. The client includes a description of the vulnerability and a step-by-step POC such as service/package preparation, exploitation, and verification. Please find below the example video on accessing this environment in the NCL testbed.


https://www.youtube.com/watch?v=0oyyGyx7DU8


Source:

https://blog.sonatype.com/new-0-day-spring-framework-vulnerability-confirmed

https://help.sonatype.com/docs/important-announcements/find-and-fix-springshell

https://github.com/lunasec-io/Spring4Shell-POC

 

 

 

 

 

 




Comments

Post a Comment

Popular posts from this blog

GreyHats CTF 2023

Image
The GreyHats CTF 2023 event, jointly organized by the National Cybersecurity R&D Lab (NCL) and NUS Greyhats , took place from July 15th to 16th, 2023, at the School of Computing, National University of Singapore. The event witnessed the participation of 90 finalists who formed 15 teams , including 5 international teams and 10 local teams . These 90 finalists had previously competed in the GreyHats qualifier rounds and successfully qualified for the NUS GreyHats CTF 2023 event. The qualifier rounds attracted participation from more than 1600 individuals representing 454 teams (314 international teams & 140 local teams) . Greyhats is the largest student-led information security interest group based in NUS. The members of Greyhats are enthusiastic students with strong technical skills, keen to spread the love of cyber-exercises. NCL is a research lab established in 2015, funded by National Research Foundation, under the National Cybersecurity R&D (NCR) Programme. It
Read more

The Youth Cyber Exploration Programme (YCEP) - Central Capture-the-Flag 2023

Image
The Youth Cyber Exploration Programme (YCEP) Central Capture-the-Flag 2023 competition took place on the 25th of July 2023, in conjunction with WorldSkills ASEASN 2023, at Suntec Convention Centre witnessed close to 70 finalists from different schools. Photo by Cyber Security Agency of Singapore The competition was organized by CSA, with the support of National Cybersecurity R&D Lab (NCL) and Cisco Systems, aimed to ignite the passion for cybersecurity among young talents and foster a vibrant cyber community. We would like to extend our heartfelt appreciation to all students who showcased their incredible skills and determination throughout the competition. Congratulations to all the individual winners, as well as the top three group winners, Team 06, Team 13, and Team 10. Photo by Cyber Security Agency of Singapore We were honoured to have Mr. Tan Kiat How, Senior Minister of State for Communications and Information and Senior Minister of State for National Development,
Read more

Critical Infrastructure Defence Exercise (CIDeX) 2023

Image
National Cybersecurity R&D Lab (NCL) had the opportunity to support Critical Infrastructure Defence Exercise (CIDeX) 2023 from 22nd November to 24th November 2023 held at the School of Computing, National University Singapore (NUS). The event involves over 200 participants coming from DIS, CSA and 24 other national agencies across six Critical Information Infrastructure (CII) Sectors. Mr. Heng Chee How, the Senior Minister of State for Defence, and Dr. Janil Puthucheary, the Senior Minister of State for Communications and Information and Health, attended the Critical Infrastructure Defence Exercise (CIDeX) 2023 on 24th of November 2023. The event focuses on training and strengthening Whole-Of-Government (WoG) cyber capabilities to detect and tackle cyber security threats to Information Technology (IT) and OT networks that control the operations of critical infrastructure. NCL would like to express gratitude to MINDEF and Cybersecurity Agency of Singapore (CSA) for prov
Read more