Share
## https://sploitus.com/exploit?id=AF560983-0EB2-544A-AB6D-71D2577422AE
# CVE-2022-42889
CVE-2022-42889 Remote Code Exeuction Vulnerability aka Text4Shell

![CVE-2022-42889](t4s.jpeg?raw=true "CVE-2022-42889")


## CVE description
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. 

![CVE-2022-42889](exploit2.png?raw=true "CVE-2022-42889")

Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. 

![CVE-2022-42889](exploit.jpeg?raw=true "CVE-2022-42889")

These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.

![CVE-2022-42889](exploit3.png?raw=true "CVE-2022-42889")

## Who is vulnerable?
Tested vulnerable hosts:
Apache Commons Text > 1.10.0 
Apache Commons Text 1.5 through 1.9

## CVE-2022-42889 download exploit
As mentioned at the beginning, CVE-2022-42889 was given such a high CVSS score because it is remote code execution. This means it can go unnoticed by the user and potentially by the security team as well. Such a powerfull tool should not be fully public, there is strictly only a few copies available so a REAL researcher can use it:  https://satoshidisk[.]com/pay/CGgmIG

This should attract attention to importance of cyber security, it can be tempting to ignore, or palm it off to the IT team. But both of these options can leave you susceptible to real and damaging risks. Do NOT resell or leak this PoC or you can be at risk of breaking the law.

In order to run this you will need:
- JDK 11 or above
- Maven

## What's the Risk?
An attacker with control over the string passed into an affected StringSubstitutor replace could allow the attacker to:
Run JavaScript code on the system (typically a server) executing the StringSubstitutor code
Connect to other servers from the affected system
Potentially gain access to other remove resources from the affected system

## Am I Vulnerable?
In order for your code to be vulnerable you need to:
- Be running a version of Apache commons-text from version 1.5.0 up to (and not including) 1.10.0
- Using Interpolation for your StringSubstituion (see https://commons.apache.org/proper/commons-text/apidocs/org/apache/commons/text/StringSubstitutor.html)
- Note that in JDK 15 and later the JavaScript engine is not longer included, so any instance running on a JVM 15 or later will not be vulnerable to RCE via the script key, however it will still be vulnerable to the dns and url keys.

## Patching
There are currently no patches from Apache 

## Mitigation
You should upgrade your Apache Commons Text with version 1.10.0 or higher 

## Disclamer
This project is intended for educational purposes only and cannot be used for law violation or personal gain.
The authors of this project is not responsible for any damages caused by direct or indirect use of the information or functionality provided by those script.