CVE-2022-22965 - CVE-2010-1622 redux

Last update: Aug 25, 2022

Overview

CVE-2022-22965 - vulnerable app and PoC

Trial & error

$ docker rm -f rce; docker build -t rce:latest . && docker run -d -p 8080:8080 --name rce rce:latest && sleep 5 && python poc.py

Output example

rce
sha256:f626a2190dc0790c610afd4f12a4b2482b6a726d671fdac1432275de89c07cd6
1a048e5725f754d331de9491d0750c4c7a163472dea1fd1554edccfd00d7f6e5
deploy <Response [200]>
webshell <Response [404]>
webshell <Response [404]>
webshell <Response [404]>
webshell <Response [404]>
webshell <Response [500]>
webshell http://localhost:8080/tomcatwar.jsp?cmd=whoami
root

Identification with Semgrep

$ semgrep --config=semgrep-rule.yml .

Semgrep rule and test cases

Output example

Findings:

  src/main/java/com/example/demo/controller/IndexController.java
     cve-2022-22965
        Semgrep found a match


         14┆ @RequestMapping("/index")
         15┆ public void index(EvalBean evalBean) {
         16┆
         17┆ }

Ran 1 rule on 3 files: 1 finding.

Vulnerable app requirements¹

JDK 9 or above
Standalone Tomcat (no Embedded Tomcat) with WAR deployment
Any Spring version before 5.3.18 / 5.2.20 (Spring Boot before 2.5.12 / 2.6.6)
No blocklist on WebDataBinder / InitBinder
Parameter bind with POJOs directly (no @RequestBody, @RequestQuery, etc.)
Writeable file system (e.g webapps/ROOT)

Sources

Assuming exploits similar to the known PoCs. There might be other gadgets... ↩

CVE-2022-22965 - CVE-2010-1622 redux

Related tags

Overview

CVE-2022-22965 - vulnerable app and PoC

Trial & error

Output example

Identification with Semgrep

Output example

Vulnerable app requirements¹

Sources

Owner

Duarte Duarte

Convert a collection of features to a fixed-dimensional matrix using the hashing trick.

Tor Relay availability checker, for using it as a bridge in countries with censorship

DNSpooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)

A Python application to predict what is cooking

Detection tool of malware(s) by checksum (useful for forensic)

On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so that you can mass exploit servers using this.

Discord-email-spammer-exploit - A discord email spammer exploit with python

A Tool for subdomain scan with other tools

PassLock is a medium-security password manager that encrypts passwords using Advanced Encryption Standards (AES)

compact and speedy hash cracker for md5, sha1, and sha256 hashes

A bitcoin private keys brute-forcing tool. Educational purpose only.

A semi-automatic osint/recon framework.

Red Team Toolkit is an Open-Source Django Offensive Web-App which is keeping the useful offensive tools used in the red-teaming together.

Subdomain enumeration,Web scraping and finding usernames automation script written in python

This is python script that will extract the functions call in all used DLL in an executable and then provide a mapping of those functions to the attack classes defined and curated malapi.io.

Log4jScanner is a Log4j Related CVEs Scanner, Designed to Help Penetration Testers to Perform Black Box Testing on given subdomains.

Statistical Random Number Generator Attack Against The Kirchhoff-law-johnson-noise (Kljn) Secure Key Exchange Protocol

dos-atack-tor script de python que permite usar conexiones cebollas para atacar paginas .onion o paginas convencionales via tor.

adb - A tool that allows you to search for vulnerable android devices across the world and exploit them.

Directory Traversal in Afterlogic webmail aurora and pro

CVE-2022-22965 - CVE-2010-1622 redux

Related tags

Overview

CVE-2022-22965 - vulnerable app and PoC

Trial & error

Output example

Identification with Semgrep

Output example

Vulnerable app requirements1

Sources

Footnotes

Owner

Duarte Duarte

Convert a collection of features to a fixed-dimensional matrix using the hashing trick.

Tor Relay availability checker, for using it as a bridge in countries with censorship

DNSpooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)

A Python application to predict what is cooking

Detection tool of malware(s) by checksum (useful for forensic)

On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so that you can mass exploit servers using this.

Discord-email-spammer-exploit - A discord email spammer exploit with python

A Tool for subdomain scan with other tools

PassLock is a medium-security password manager that encrypts passwords using Advanced Encryption Standards (AES)

compact and speedy hash cracker for md5, sha1, and sha256 hashes

A bitcoin private keys brute-forcing tool. Educational purpose only.

A semi-automatic osint/recon framework.

Red Team Toolkit is an Open-Source Django Offensive Web-App which is keeping the useful offensive tools used in the red-teaming together.

Subdomain enumeration,Web scraping and finding usernames automation script written in python

This is python script that will extract the functions call in all used DLL in an executable and then provide a mapping of those functions to the attack classes defined and curated malapi.io.

Log4jScanner is a Log4j Related CVEs Scanner, Designed to Help Penetration Testers to Perform Black Box Testing on given subdomains.

Statistical Random Number Generator Attack Against The Kirchhoff-law-johnson-noise (Kljn) Secure Key Exchange Protocol

dos-atack-tor script de python que permite usar conexiones cebollas para atacar paginas .onion o paginas convencionales via tor.

adb - A tool that allows you to search for vulnerable android devices across the world and exploit them.

Directory Traversal in Afterlogic webmail aurora and pro

Vulnerable app requirements¹