CVE-2022-22965 - CVE-2010-1622 redux

Last update: Aug 25, 2022

Overview

CVE-2022-22965 - vulnerable app and PoC

Trial & error

$ docker rm -f rce; docker build -t rce:latest . && docker run -d -p 8080:8080 --name rce rce:latest && sleep 5 && python poc.py

Output example

rce
sha256:f626a2190dc0790c610afd4f12a4b2482b6a726d671fdac1432275de89c07cd6
1a048e5725f754d331de9491d0750c4c7a163472dea1fd1554edccfd00d7f6e5
deploy <Response [200]>
webshell <Response [404]>
webshell <Response [404]>
webshell <Response [404]>
webshell <Response [404]>
webshell <Response [500]>
webshell http://localhost:8080/tomcatwar.jsp?cmd=whoami
root

Identification with Semgrep

$ semgrep --config=semgrep-rule.yml .

Semgrep rule and test cases

Output example

Findings:

  src/main/java/com/example/demo/controller/IndexController.java
     cve-2022-22965
        Semgrep found a match


         14┆ @RequestMapping("/index")
         15┆ public void index(EvalBean evalBean) {
         16┆
         17┆ }

Ran 1 rule on 3 files: 1 finding.

Vulnerable app requirements¹

JDK 9 or above
Standalone Tomcat (no Embedded Tomcat) with WAR deployment
Any Spring version before 5.3.18 / 5.2.20 (Spring Boot before 2.5.12 / 2.6.6)
No blocklist on WebDataBinder / InitBinder
Parameter bind with POJOs directly (no @RequestBody, @RequestQuery, etc.)
Writeable file system (e.g webapps/ROOT)

Sources

Assuming exploits similar to the known PoCs. There might be other gadgets... ↩

CVE-2022-22965 - CVE-2010-1622 redux

Related tags

Overview

CVE-2022-22965 - vulnerable app and PoC

Trial & error

Output example

Identification with Semgrep

Output example

Vulnerable app requirements¹

Sources

Owner

Duarte Duarte

Implementation of RITA (Real Intelligence Threat Analytics) in Jupyter Notebook with improved scoring algorithm.

This repo is about steps to create a effective custom wordlist in a few clicks/

Local File Inclusion Scanner and Exploiter

GitLab CE/EE Preauth RCE using ExifTool

Scout Suite - an open source multi-cloud security-auditing tool,

A malware to encrypt all the .txt and .jpg files in target computer using RSA algorithms

This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).

nuclei scanner for proxyshell ( CVE-2021-34473 )

Providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account.

Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack

Scan all java processes on your host to check weather it's affected by log4j2 remote code execution

Proof of concept of CVE-2022-21907 Double Free in http.sys driver, triggering a kernel crash on IIS servers

Simples brute forcer de diretorios para web pentest.

Web3 Pancakeswap Sniper & honeypot detector Take Profit/StopLose bot written in python3, For ANDROID WIN MAC & LINUX

Vulnerability Exploitation Code Collection Repository

Script Crack Facebook Yang Kaya Akan Teh Hijau 🚶‍♂

this keylogger is only for pc not for android but it will only work on those pc who have python installed it is made for all linux,windows and macos

ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell)

An advanced multi-threaded, multi-client python reverse shell for hacking linux systems

GDID (Google Dorks for Information Disclosure)

CVE-2022-22965 - CVE-2010-1622 redux

Related tags

Overview

CVE-2022-22965 - vulnerable app and PoC

Trial & error

Output example

Identification with Semgrep

Output example

Vulnerable app requirements1

Sources

Footnotes

Owner

Duarte Duarte

Implementation of RITA (Real Intelligence Threat Analytics) in Jupyter Notebook with improved scoring algorithm.

This repo is about steps to create a effective custom wordlist in a few clicks/

Local File Inclusion Scanner and Exploiter

GitLab CE/EE Preauth RCE using ExifTool

Scout Suite - an open source multi-cloud security-auditing tool,

A malware to encrypt all the .txt and .jpg files in target computer using RSA algorithms

This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).

nuclei scanner for proxyshell ( CVE-2021-34473 )

Providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account.

Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack

Scan all java processes on your host to check weather it's affected by log4j2 remote code execution

Proof of concept of CVE-2022-21907 Double Free in http.sys driver, triggering a kernel crash on IIS servers

Simples brute forcer de diretorios para web pentest.

Web3 Pancakeswap Sniper & honeypot detector Take Profit/StopLose bot written in python3, For ANDROID WIN MAC & LINUX

Vulnerability Exploitation Code Collection Repository

Script Crack Facebook Yang Kaya Akan Teh Hijau 🚶‍♂

this keylogger is only for pc not for android but it will only work on those pc who have python installed it is made for all linux,windows and macos

ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell)

An advanced multi-threaded, multi-client python reverse shell for hacking linux systems

GDID (Google Dorks for Information Disclosure)

Vulnerable app requirements¹