## https://sploitus.com/exploit?id=6628A1A6-257E-5872-9001-BDD3C876A238
# CVE-2022-46364 โ Apache CXF MTOM/XOP SSRF (File Read)
> Proof-of-Concept exploit for **CVE-2022-46364** โ an Apache CXF server-side request forgery (SSRF) vulnerability in MTOM/XOP request processing.
---
## Vulnerability Summary
**CVE-2022-46364** affects Apache CXF versions before **3.4.10** and **3.5.5**. When MTOM (Message Transmission Optimization Mechanism) is enabled on a SOAP service, the CXF unmarshaller incorrectly validates the `href` attribute inside `` elements. Instead of restricting `href` to `cid:` URIs (as required by the W3C XOP specification), CXF dereferences arbitrary URIs โ including `file://`, `http://`, and `https://`.
This allows an unauthenticated attacker to:
- Read arbitrary local files (`file:///etc/passwd`)
- Perform SSRF against internal services (`http://169.254.169.254/`)
- Potentially reach cloud metadata endpoints or internal APIs
---
## Target
This PoC was written and tested against the **Hack The Box** machine:
**Target endpoint:** `http://devarea.htb:8080/employeeservice`
But small changes in XML payload according to target WSDL, make it adaptable to target environment.
---
## Usage
### Read /etc/passwd (default target)
Default Url is `http://devarea.htb:8080/employeeservice`.
```bash
python3 CVE-2022-46364.py --file /etc/passwd
```
### Custom target URL
```bash
python3 CVE-2022-46364.py --url http://target:8080/employeeservice --file /etc/passwd
```
### Verbose mode โ show request & raw response
```bash
python3 CVE-2022-46364.py --file /etc/passwd --verbose
```
---
## Adapting to Other Targets
> **Important:** This script is hardcoded for the HTB DevArea WSDL structure. To use it against another vulnerable Apache CXF service, you **must modify the SOAP payload** inside `build_payload()` to match the target's WSDL contract.
### Steps to adapt:
1. **Fetch the WSDL** from the target:
```bash
curl http://target:8080/employeeservice?wsdl
```
2. **Identify the service details:**
- `targetNamespace` (e.g. `http://devarea.htb/`)
- Operation name (e.g. `submitReport`)
- Parameter structure (e.g. `` with nested ``)
3. **Modify the payload** in `build_payload()`:
- Update the namespace (`xmlns:dev="..."`)
- Update the operation name (``)
- Update the parameter wrapper (``)
- Place `` inside a field that the server will process as an attachment
4. **Update `--url`** when running the script.
### Example WSDL adaptation
Given this WSDL snippet:
```xml
```
Your payload should become:
```xml
```
---
## How It Works
1. The script crafts a `multipart/related` HTTP request with `Content-Type: application/xop+xml`.
2. Inside the SOAP body, an `` element is placed.
3. The vulnerable CXF server treats this as an attachment reference and dereferences the `file://` URI.
4. The file contents are read, base64-encoded by the server, and returned inside the SOAP `` element.
5. The script extracts the base64 string after `Content:` and decodes it.
---
## References
| Resource | Link |
|----------|------|
| Apache CXF Advisory | [CVE-2022-46364](https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt) |
| NVD Entry | [NVD โ CVE-2022-46364](https://nvd.nist.gov/vuln/detail/CVE-2022-46364) |
| Apache Jira (CXF-8706) | [CXF-8706](https://issues.apache.org/jira/browse/CXF-8706) |
| W3C XOP Specification | [XML-binary Optimized Packaging](https://www.w3.org/TR/xop10/) |
| Penligent Deep Dive | [CVE-2022-46364 PoC in Practice](https://www.penligent.ai/hackinglabs/cve-2022-46364-proof-of-concept-apache-cxf-mtom-ssrf-in-practice/) |
| HTB DevArea | [Hack The Box โ DevArea](https://app.hackthebox.com/machines/DevArea) |
---
## Disclaimer
This tool is intended for **authorized security testing and educational purposes only**. Always obtain explicit permission before testing systems you do not own. The author is not responsible for any misuse or damage caused by this script.
---
## License
MIT License โ feel free to use, modify, and share with proper attribution.