Last updated at Mon, 22 Jan 2024 18:19:54 GMT
CVE-2022-22963 - Spring Cloud Function SpEL RCE
A new exploit/multi/http/spring_cloud_function_spel_injection
module has been developed by our very own Spencer McIntyre which targets Spring Cloud Function versions Prior to 3.1.7 and 3.2.3. This module is unrelated to Spring4Shell CVE-2022-22965, which is a separate vulnerability in the WebDataBinder component of Spring Framework.
This exploit works by crafting an unauthenticated HTTP request to the target application. When the spring.cloud.function.routing-expression
HTTP header is received by the server it will evaluate the user provided SpEL (Spring Expression Language) query, leading to remote code execution. This can be seen within the CVE-2022-22963 Metasploit module:
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(datastore['TARGETURI']),
'headers' => {
'spring.cloud.function.routing-expression' => "T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','#{cmd.gsub("'", "''")}'})"
}
)
Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message
New module content (1)
- Spring Cloud Function SpEL Injection by Spencer McIntyre, hktalent, and m09u3r, which exploits CVE-2022-22963 - This achieves unauthenticated remote code execution by executing SpEL (Spring Expression Language) queries against Spring Cloud Function versions prior to
3.1.7
and3.2.3
.
Bugs fixed (2)
- #16364 from zeroSteiner - This adds a fix for a crash in
auxiliary/spoof/dns/native_spoofer
and adds documentation for the module. - #16386 from adfoster-r7 - Fixes a crash when running the
exploit/multi/misc/java_rmi_server
module against at target server, such as Metasploitable2
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git
user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).