Exploit introduction
Vulnerable versions: All systems running versions 1.5 to 1.9 of the Apache Commons Text tool are vulnerable to CVE-2022-42889 (text4shell).
Vulnerability Type: Remote Code Execution (RCE)
The cause of the vulnerability: the existence of a logical bug in the StringSubstituter class.
Introduction
Apache Commons Text is a Java library known as a library focused on algorithms working on strings. The vulnerability in this tool is of remote code execution type and has critical severity and very high score (CVSS 9.8).
Vulnerability details
Vulnerable versions of this tool allow the attacker to take advantage of the variable interpolation process available in Apache Commons Text, which can lead to the dynamic definition of features. It is noteworthy that those systems on which the vulnerable version of Apache Commons Text is installed are vulnerable to RCE attacks and unwanted communication with untrusted servers.
The standard format for the interpolation operation is “”${prefix:name}””, which prefix is used to find a sample of org.apache.commons.text.lookup.StringLookup to perform the interpolation operation.
These examples included interpolators that could lead to execute a desired code remotely.
Prefixes that may be misused for exploitation are:
- script: which is for executing the script using the JVM script execution engine (javax.script).
- dns: to resolve dns records
- url: in order to load values from url
Examples of how the three parameters of script, dns, and url are used by the attacker:
- ${script:name} ex – ${script:javascript:java.lang.Runtime.getRuntime().exec(‘whoami’)}
- ${url:name} ex – ${url:UTF-8:https://domain.tld}
- ${dns:name} ex – ${dns:address|domain.tld}
Solution to prevent intrusion
The problem of versions 1.5 to 1.9 has been fixed in version 1.10 of this program.
Patched version release date: 09-24-2022