Share
## https://sploitus.com/exploit?id=6628A1A6-257E-5872-9001-BDD3C876A238
# CVE-2022-46364 โ€” Apache CXF MTOM/XOP SSRF (File Read)

> Proof-of-Concept exploit for **CVE-2022-46364** โ€” an Apache CXF server-side request forgery (SSRF) vulnerability in MTOM/XOP request processing.

---

## Vulnerability Summary

**CVE-2022-46364** affects Apache CXF versions before **3.4.10** and **3.5.5**. When MTOM (Message Transmission Optimization Mechanism) is enabled on a SOAP service, the CXF unmarshaller incorrectly validates the `href` attribute inside `` elements. Instead of restricting `href` to `cid:` URIs (as required by the W3C XOP specification), CXF dereferences arbitrary URIs โ€” including `file://`, `http://`, and `https://`.

This allows an unauthenticated attacker to:
- Read arbitrary local files (`file:///etc/passwd`)
- Perform SSRF against internal services (`http://169.254.169.254/`)
- Potentially reach cloud metadata endpoints or internal APIs

---

## Target

This PoC was written and tested against the **Hack The Box** machine:

**Target endpoint:** `http://devarea.htb:8080/employeeservice`

But small changes in XML payload according to target WSDL, make it adaptable to target environment.

---

## Usage

### Read /etc/passwd (default target)

Default Url is `http://devarea.htb:8080/employeeservice`.

```bash
python3 CVE-2022-46364.py --file /etc/passwd
```

### Custom target URL
```bash
python3 CVE-2022-46364.py --url http://target:8080/employeeservice --file /etc/passwd
```

### Verbose mode โ€” show request & raw response
```bash
python3 CVE-2022-46364.py --file /etc/passwd --verbose
```

---

## Adapting to Other Targets

> **Important:** This script is hardcoded for the HTB DevArea WSDL structure. To use it against another vulnerable Apache CXF service, you **must modify the SOAP payload** inside `build_payload()` to match the target's WSDL contract.

### Steps to adapt:

1. **Fetch the WSDL** from the target:
   ```bash
   curl http://target:8080/employeeservice?wsdl
   ```

2. **Identify the service details:**
   - `targetNamespace` (e.g. `http://devarea.htb/`)
   - Operation name (e.g. `submitReport`)
   - Parameter structure (e.g. `` with nested ``)

3. **Modify the payload** in `build_payload()`:
   - Update the namespace (`xmlns:dev="..."`)
   - Update the operation name (``)
   - Update the parameter wrapper (``)
   - Place `` inside a field that the server will process as an attachment

4. **Update `--url`** when running the script.

### Example WSDL adaptation

Given this WSDL snippet:
```xml

  
    
  

```

Your payload should become:
```xml

  
    
      
        
      
    
  

```

---

## How It Works

1. The script crafts a `multipart/related` HTTP request with `Content-Type: application/xop+xml`.
2. Inside the SOAP body, an `` element is placed.
3. The vulnerable CXF server treats this as an attachment reference and dereferences the `file://` URI.
4. The file contents are read, base64-encoded by the server, and returned inside the SOAP `` element.
5. The script extracts the base64 string after `Content:` and decodes it.

---

## References

| Resource | Link |
|----------|------|
| Apache CXF Advisory | [CVE-2022-46364](https://cxf.apache.org/security-advisories.data/CVE-2022-46364.txt) |
| NVD Entry | [NVD โ€” CVE-2022-46364](https://nvd.nist.gov/vuln/detail/CVE-2022-46364) |
| Apache Jira (CXF-8706) | [CXF-8706](https://issues.apache.org/jira/browse/CXF-8706) |
| W3C XOP Specification | [XML-binary Optimized Packaging](https://www.w3.org/TR/xop10/) |
| Penligent Deep Dive | [CVE-2022-46364 PoC in Practice](https://www.penligent.ai/hackinglabs/cve-2022-46364-proof-of-concept-apache-cxf-mtom-ssrf-in-practice/) |
| HTB DevArea | [Hack The Box โ€” DevArea](https://app.hackthebox.com/machines/DevArea) |

---

## Disclaimer

This tool is intended for **authorized security testing and educational purposes only**. Always obtain explicit permission before testing systems you do not own. The author is not responsible for any misuse or damage caused by this script.

---

## License

MIT License โ€” feel free to use, modify, and share with proper attribution.