Metasploit Weekly Wrap-Up: 4/1/22

Apr 01, 2022
1 min read
Alan David Foster

Last updated at Mon, 22 Jan 2024 18:19:54 GMT

CVE-2022-22963 - Spring Cloud Function SpEL RCE

A new exploit/multi/http/spring_cloud_function_spel_injection module has been developed by our very own Spencer McIntyre which targets Spring Cloud Function versions Prior to 3.1.7 and 3.2.3. This module is unrelated to Spring4Shell CVE-2022-22965, which is a separate vulnerability in the WebDataBinder component of Spring Framework.

This exploit works by crafting an unauthenticated HTTP request to the target application. When the spring.cloud.function.routing-expression HTTP header is received by the server it will evaluate the user provided SpEL (Spring Expression Language) query, leading to remote code execution. This can be seen within the CVE-2022-22963 Metasploit module:

res = send_request_cgi(
    'method' => 'POST',
    'uri' => normalize_uri(datastore['TARGETURI']),
    'headers' => {
    'spring.cloud.function.routing-expression' => "T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','#{cmd.gsub("'", "''")}'})"
    }
)

Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message

New module content (1)

Spring Cloud Function SpEL Injection by Spencer McIntyre, hktalent, and m09u3r, which exploits CVE-2022-22963 - This achieves unauthenticated remote code execution by executing SpEL (Spring Expression Language) queries against Spring Cloud Function versions prior to 3.1.7 and 3.2.3.

Bugs fixed (2)

#16364 from zeroSteiner - This adds a fix for a crash in auxiliary/spoof/dns/native_spoofer and adds documentation for the module.
#16386 from adfoster-r7 - Fixes a crash when running the exploit/multi/misc/java_rmi_server module against at target server, such as Metasploitable2

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Weekly Wrap-Up: 4/1/22

CVE-2022-22963 - Spring Cloud Function SpEL RCE

New module content (1)

Bugs fixed (2)

Get it

POST TAGS

SHARING IS CARING

AUTHOR

Topics

Popular Tags

Related Posts

Success! Thank you for submission. We will be in touch shortly.

Oops! There was a problem in submission. Please try again.

Submit your information and we will get in touch with you.

Metasploit Weekly Wrap-Up: 4/1/22

CVE-2022-22963 - Spring Cloud Function SpEL RCE

New module content (1)

Bugs fixed (2)

Get it

POST TAGS

SHARING IS CARING

AUTHOR

Topics

Popular Tags

Related Posts

Related Posts

Success! Thank you for submission. We will be in touch shortly.

Oops! There was a problem in submission. Please try again.

Submit your information and we will get in touch with you.

Never miss a blog