Will Dormann Profile picture
Mar 31 11 tweets 7 min read
Can confirm! The #Spring4Shell exploit in the wild appears to work against the stock "Handling Form Submission" sample code from spring.io
If the sample code is vulnerable, then I suspect there are indeed real-world apps out there that are vulnerable to RCE...
Ways that Cyber Kendra made this worse for everyone:
1) Sensational blog post indicating that this is going to ruin the internet (red flag!).
2) Linking to a git commit about deserialization that has absolutely nothing to do with the issue demonstrated by the original party.
The original researcher also made this a touch more confusing/misleading than it needed to be as well. To one not familiar with Java, the long list of requirements makes it seem like one may need to intentionally make an app vulnerable. This is not the case.
What is TBD is:
What actual real-world applications are vulnerable to this issue?
Or is it likely to affect mostly just custom-built software that uses Spring and meets the list of requirements to be vulnerable.
Note that Spring has an advisory out on this:
spring.io/blog/2022/03/3…
Specifically important is: Spring Framework 5.3.18 and 5.2.20 address this vulnerability.
Relevant fixes are in CachedIntrospectionResults
github.com/spring-project…
github.com/spring-project…
I've published a note, now that we have the official CVE-2022-22965 designation for #SpringShell / #Spring4Shell
Nothing novel revealed there, but it should at least help for official tracking.
kb.cert.org/vuls/id/970766
I'm not sure why it took so long for me to notice, but the screenshot right in that original report calls out exactly where shenanigans begin: getCachedIntrospectionResults()
The patch for CVE-2022-22965 fixes CachedIntrospectionResults, which is invoked by this function.
For local scanning of code vulnerable to CVE-2022-22965, this seems to do the trick:
github.com/hillu/local-sp…
For remote scanning of a live web server even w/ just curl and looking for HTTP 400, that's possible, but trickier:
1) You need to know that the target is even tomcat.
2) You need to know the relevant endpoint to hit.
3) You need to test both POST and GET.
In case anybody is curious how the local scanner works, it's just comparing the hashes of the CachedIntrospectionResults.class file against known-vulnerable versions. This picked up all of the vulnerable components I happened to have handy for testing.
github.com/hillu/local-sp…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Will Dormann

Will Dormann Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @wdormann

Mar 30
OK, where are we with Spring stuff?
1) CVE-2022-22963 is a thing, and it affects Spring Cloud Connector. It's RCE, so the CVSS score of 5.4 seems way off.
2) Spring4Shell / SpringShell, invented by Cyber Kendra, isn't a Spring vulnerability at all.
Does that sound about right?
And just for the Twitter record, @VMwareTanzu assigned CVE-2022-22963 a CVSS score of 5.4
Yet it's an unauthenticated RCE vulnerability.
Which in my mind puts it closer to a 9.8.
And to tie up this thread, I've confirmed that #SpringShell / #Spring4Shell *IS* indeed a thing.
This wasn't immediately obvious because of Cyber Kendra linking SpringShell to a commit for a COMPLETELY UNRELATED issue that is NOT A VULNERABILITY.
<sigh>
Read 4 tweets
Mar 16
Oh, this is good.
Think you're typing into a pop-up window? Make sure that you try to drag it OUTSIDE OF the content area of the page first.
Surely normal human beings do this.
But wait!
We security folks know that the content area of a browser is 100% under control of somebody else. We wouldn't design a system where a user must visually verify something within this space, right?
Let's look at a site that is apparently popular for some reason: Pinterest
Am I picking on Pinterest? Nope.
This is a standard OAuth login technique. For example, here's an Auth0 demo page.
Are we relying on end users knowing that they need to drag pop-ups outside of the content area of a browser to know that it's legit?
Read 4 tweets
Feb 23
If you enabled Extended Protection for Authentication (EPA) for your AD CS server this summer to protect against PetitPotam, good for you.
If you haven't, well, I've got some bad news for you...
Nothing more than a system on the same (V)LAN as a domain-joined host is required. No password knowledge necessary.
By using mitm6 + krbrelayx to relay a kerberos ticket to an AD CS that hasn't been locked down, we get a certificate that can get us to Domain Admin.
The defenses against this are:
- Enable TLS + EPA in IIS on any AD CS system you use. This is the same thing that protected you against the PetitPotam attack chain.
- If you don't use IPv6, block with firewalls both DHCPv6 and ICMPv6 traffic.
dirkjanm.io/relaying-kerbe…
Read 5 tweets
Dec 13, 2021
I cannot stress how wrong the NVD / Mitre entry is for CVE-2021-44228.
The fact that you're running a current JRE version does NOT protect against RCE with log4j!
How did the CVE entry get to be wrong?
Two days ago, @iamamoose corrected the vulnerability description in CVE: github.com/CVEProject/cve…
12 hours ago, the fix was reverted so that it's incorrect again:
github.com/CVEProject/cve…
Can anybody explain to my simple brain why?
I'd love to hear from @CVEannounce or anybody at @MITREcorp as to why an officially accepted commit to the CVEProject cvelist repo was automatically clobbered with HARMFULLY INCORRECT data as part of an automatic "-Synchronized-Data." commit two days later.
Read 5 tweets
Dec 1, 2021
Trusted App
Based on my knowledge of word meanings, you're telling me that this app is trustworthy.
This is about as sage advice as saying "Look for the padlock to know that you're safe" ...
in a web browser where any site can make the address bar show whatever address they want.
PublisherDisplayName ... where does that come from?
That's right, the app author choses whatever they want.
This is the information that is presented to the user all while saying that the app is "Trusted"
Who are they to disagree?
This seems... broken?
This all (including the fake "Adobe Inc." app) has been public for about a month: news.sophos.com/en-us/2021/11/…
Given how broken this all seems, you probably wouldn't want the ability to click into an AppX installer, right? Good. See: gist.github.com/wdormann/90fce…
Read 6 tweets
Oct 22, 2021
Note that while the exploit doesn't appear to work as-is on Windows 10, it definitely still shows behaviors that shouldn't be allowed.
That is, it still allows a non-elevated prompt to modify the contents of C:\Windows\system32 with SYSTEM privileges. ImageImage
Scratch that...
It IS compatible with Windows 10. It's just not terribly reliable as-is to achieve LPE.
It took multiple attempts, each reverting to the same VM snapshot, but here are shots of a successful run. ImageImage
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(