Rapid7 Vulnerability & Exploit Database

Spring Framework Class property RCE (Spring4Shell)

Back to Search

Spring Framework Class property RCE (Spring4Shell)

Disclosed
03/31/2022
Created
05/10/2022

Description

Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions when running on JDK 9 or above and specifically packaged as a traditional WAR and deployed in a standalone Tomcat instance are vulnerable to remote code execution due to an unsafe data binding used to populate an object from request parameters to set a Tomcat specific ClassLoader. By crafting a request to the application and referencing the org.apache.catalina.valves.AccessLogValve class through the classLoader with parameters such as the following: class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp, an unauthenticated attacker can gain remote code execution.

Author(s)

  • vleminator <vleminator@gmail.com>

Platform

Linux,Windows

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/http/spring_framework_rce_spring4shell
msf exploit(spring_framework_rce_spring4shell) > show targets
    ...targets...
msf exploit(spring_framework_rce_spring4shell) > set TARGET < target-id >
msf exploit(spring_framework_rce_spring4shell) > show options
    ...show and set options...
msf exploit(spring_framework_rce_spring4shell) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;