What exchanges and other institutions need to pay attention to

Cve ID

CVE-2022–42889

Description

Apache Commons Text supports variable interpolation. The standard format is “${prefix: name}”, where “prefix” is used to locate the instance of org.apache.commons.text.lookup.StringLookup. From version 1.5 to version 1.9, the default lookup instance set is as follows: script uses JVM script execution engine javax The script executes the expression, the dns is used to parse the dns record, and the url is used to launch any http request.

If an untrusted configuration value is used, the affected application is vulnerable to remote code execution. The NVD score for this vulnerability is 9.8.

Apache Commons Text serves as the foundational component of the Java language. Its security requires that all Web3 project parties pay more attention, and pay heed to the security loopholes of various Web3 infrastructures and make patches in time to avoid potential security risks and loss of digital assets. We will continue to track various security risks on web3, and provide leading security solutions to ensure that the web3 world is safe on-chain and off-chain.

Version affected

>=1.5 <=1.9

Analysis

When reading the official 1.9 documentation, I see the following

Execute the javascript script through script interpolation and get the result:

According to the vulnerability description script using the JVM script execution engine (javax.script), it can be assumed that the StringSubstitutor.replace method may execute arbitrary java code during script interpolation.

construct poc:

Analyze the entry StringSubstitutor.replace and call the substitute method to process the incoming string.

Process the ${} character, take it out and parse it, and follow the resolveVariable method

Continue to follow up the lookup method of the StringLookup object

Other interpolations are initialized in stringLookupMap, and the interpolation corresponds to different lookup instances

The current input is script, and the lookup instance corresponds to the lookup method of the ScriptStringLookup class

In this method, scriptEngine.eval is finally called to trigger the vulnerability.

stack

Fix

In version 1.10.0 there is no longer a script when the stringLookupMap collection is initialized, and neither a suitable instance is found when lookup is null.

Use of Other Interpolation

Read any file

${file:UTF-8:/etc/passwd}

At this time, the lookup instance is the FileStringLookup class

The lookup method reads the file and returns

Result：

DNS probe

${dns:127.0.0.1|test.xxx.xxx}

Can be used for non-destructive testing

HTTP request

Can use ssrf to probe ports

${url:UTF-8:http://127.0.0.1:2121}

Summary

The exploit payload, which looks similar to log4shell, can be easily exploited by attackers, and some have started calling it “Text4Shell” or “Act4Shell”.

It is recommended that all Web3 project parties pay more attention, upgrade to Apache Commons Text 1.10.0 in time, and disable the problematic interpolator by default to avoid potential security risks and loss of digital assets.

STRLCPY/cve-2022-42889-text4shell-docker

https://github.com/karthikuj/cve-2022-42889-text4shell-docker

crash.software

STRLCPY/text4shell-tools

CVE-2022-42889 may pose a serious threat to a wide range of Java-based applications. The important questions a developer may ask in this context are: Does the released code include commons-text? Which version of the library is included there?

crash.software

STRLCPY/burp-text4shell

Detailed description can be found in our blog post about this plugin. Note about detection capabilities: this plugin will only supply the built-inactive scanner with payloads, thus for optimal coverage vs. performance, you'llhave to configure your scan properly - just as with any other built-in orextension-provided scan.

crash.software

STRLCPY/CVE-2022-42889-PoC

This is Proof of Concept for the vulnerability CVE-2022-42889. This code will run the JavaScript code 195 + 324.

crash.software