CVE-2022-22965 PoC — Spring Framework 代码注入漏洞

Source

https://github.com/bL34cHig0/Telstra-Cybersecurity-Virtual-Experience-

Associated Vulnerability

Title:Spring Framework 代码注入漏洞 (CVE-2022-22965)
Description:A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Description

A simple python script for a firewall rule that blocks incoming requests based on the Spring4Shell (CVE-2022-22965) vulnerability

Readme

# Telstra-Cybersecurity-Virtual-Experience-Program

I participated in Telstra's Security Operations Centre as an Information Security Analyst to gain first-hand experience of the daily tasks and responsibilities of a Security Analyst at Telstra. The tasks carried out:

1. Triaged a malware attack (CVE-2022-22965) on their nbn services and respond to the malware attack by contacting the appropriate team.
2. Analyzed the data of the malware to identify how it spreads.
3. Utilize the patterns identified to formulate a firewall rule with Python programming language in order to mitigate the malware from spreading.
4. Drafted an incident postmortem of the malware attack, covering the details I picked up in the previous task.

# Firewall Rule

This is a simple Python project I was tasked to perform as a participant of Telstra Virtual Experience Program with Forage. My task was to utilize Python to develop a firewall rule to mitigate a zero-day vulnerability malware attack (CVE-2022-22965), known as Spring4Shell. Therefore, I developed a firewall rule in the firewall_server.py script provided by Telstra to mitigate the attack on their nbn services. The rule blocks:

1. Incoming traffic on client request path `/tomcatwar.jsp`
2. Any request which is used in the malicious Spring4Shell payload, as listed in this PoC: https://github.com/craig/SpringCore0day/blob/main/exp.py

## Prerequisites
- Python 3.x

## Installation and Setup
1. Clone or download the project repository to your device.
2. Open a terminal or command prompt and navigate to the project directory.

## Usage
 ```bash
 python firewall_server.py
 ```
```bash
Ctrl + c # to stop the server
```

After executing the script, the server will listen for incoming requests and any incoming GET or POST request that matches the stipulated rule above will be blocked and a 403 response code will be sent to the client. I tested the firewall_server.py script against the "test_resquests.py" script provided by Telstra.

## PoC

![image](https://github.com/bL34cHig0/Telstra-Cybersecurity-Virtual-Experience-/assets/133022207/7a0660ae-7ee0-4c2f-80be-59d9fbde457f)

## Resources

1. https://github.com/craig/SpringCore0day/blob/main/exp.py
2. https://docs.python.org/3/library/http.server.html
3. https://spring.io/security/cve-2022-22965
4. https://www.cisa.gov/news-events/alerts/2022/04/01/spring-releases-security-updates-addressing-spring4shell-and-spring

## Disclaimer
This project is for educational purpose only. Telstra, Forage, and the author are not responsible for any misuse or illicit activities performed using this code. Any 
consequences arising from the misuse or unlawful use of this project are solely the responsibility of the user.

File Snapshot


 [4.0K]  /data/pocs/29c1012cca5b1fc34fd4b8590405f239bef58c1b
├── [2.1K]  firewall_server.py
└── [2.7K]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!