CVE-2022–42889 _ Text4Shell Vuln Technical Analysis
🔥

CVE-2022–42889 _ Text4Shell Vuln Technical Analysis

📅 [ Archival Date ]
Oct 19, 2022 8:06 PM
🏷️ [ Tags ]
CVE-2022–42889Text4ShellApache Commons Text
✍️ [ Author ]
Numen Cyber Labs
💣 [ PoC / Exploit ]

What exchanges and other institutions need to pay attention to

image

Cve ID

Description

Apache Commons Text supports variable interpolation. The standard format is “${prefix: name}”, where “prefix” is used to locate the instance of org.apache.commons.text.lookup.StringLookup. From version 1.5 to version 1.9, the default lookup instance set is as follows: script uses JVM script execution engine javax The script executes the expression, the dns is used to parse the dns record, and the url is used to launch any http request.

If an untrusted configuration value is used, the affected application is vulnerable to remote code execution. The NVD score for this vulnerability is 9.8.

Apache Commons Text serves as the foundational component of the Java language. Its security requires that all Web3 project parties pay more attention, and pay heed to the security loopholes of various Web3 infrastructures and make patches in time to avoid potential security risks and loss of digital assets. We will continue to track various security risks on web3, and provide leading security solutions to ensure that the web3 world is safe on-chain and off-chain.

Version affected

>=1.5 <=1.9

Analysis

When reading the official 1.9 documentation, I see the following

image

Execute the javascript script through script interpolation and get the result:

image

According to the vulnerability description script using the JVM script execution engine (javax.script), it can be assumed that the StringSubstitutor.replace method may execute arbitrary java code during script interpolation.

construct poc:

image

Analyze the entry StringSubstitutor.replace and call the substitute method to process the incoming string.

image

Process the ${} character, take it out and parse it, and follow the resolveVariable method

image

Continue to follow up the lookup method of the StringLookup object

image

Other interpolations are initialized in stringLookupMap, and the interpolation corresponds to different lookup instances

image

The current input is script, and the lookup instance corresponds to the lookup method of the ScriptStringLookup class

image

In this method, scriptEngine.eval is finally called to trigger the vulnerability.

image

stack

image

Fix

In version 1.10.0 there is no longer a script when the stringLookupMap collection is initialized, and neither a suitable instance is found when lookup is null.

image

Use of Other Interpolation

Read any file

${file:UTF-8:/etc/passwd}

At this time, the lookup instance is the FileStringLookup class

image

The lookup method reads the file and returns

image

Result:

image

DNS probe

${dns:127.0.0.1|test.xxx.xxx}

Can be used for non-destructive testing

image

HTTP request

Can use ssrf to probe ports

${url:UTF-8:http://127.0.0.1:2121}

image

Summary

The exploit payload, which looks similar to log4shell, can be easily exploited by attackers, and some have started calling it “Text4Shell” or “Act4Shell”.

It is recommended that all Web3 project parties pay more attention, upgrade to Apache Commons Text 1.10.0 in time, and disable the problematic interpolator by default to avoid potential security risks and loss of digital assets.