Illusive Blog April 13, 2022

How Illusive detects “Spring4Shell” internal exploitation attempts

By Yan Linkov
Vulnerabilities

What is the Spring Framework

Spring is a highly popular open-source software framework for building Java applications, including web apps on top of the Java EE (Enterprise Edition) platform.
Today it is maintained by a VMware subsidiary – Spring.IO.

What Happened?

On March 30, 2022, there were initial rumors regarding a Zero-Day RCE in Spring Core which started with a publication of a POC exploitation code, followed by an official announcement and a critical severity CVE-2022-22965 publication on March 31, 2022.

The RCE was initially dubbed “Spring4Shell” which immediately created hype around it due to its name similarity to the previous “Log4Shell” vulnerability.

Who is vulnerable

These are the prerequisites for the exploit:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as WAR
  • spring-webmvc or spring-webflux dependency
  • Spring Framework
    • 5.3.0 to 5.3.17
    • 5.2.0 to 5.2.19
    • Older, unsupported versions are also affected

It should be noted that the ability of this vulnerability to be exploited is also affected by code implementation, even meeting the vulnerability requirements listed above may not be enough for exploitation.

However, the vendor disclosed that, “the nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.”

That means you can’t be sure there are no other vulnerability scenarios out there.

Spring4Shell Vulnerability Overview

The Spring mechanism that enables the vulnerability is a data binding function.
When used properly, it takes parameters from the HTTP request (URL/Body) and assigns them to JAVA objects.

The vulnerability allows access to unintended object attributes, such as the classloader, which is due to changes introduced in JAVA 9.

For Tomcat-based applications it means there is a way to access the logging properties.
The current popular exploitation payload leverages the vulnerability to manipulate the Tomcat server logging properties, enabling the attacker to drop a webshell onto the Web Server’s Root directory, which consequently allows the attacker to run commands on the affected server.
It should be noted that other exploitation payloads might start popping soon enough.

Mitigation

The recommended mitigation strategy is to upgrade to Spring Framework 5.3.18 and 5.2.20.
There are also some other workarounds provided by the vendor which might be helpful on some level.

Illusive Shadow Detect Spring4Shell Without Any Special Configuration

  • llusive Shadow Provides Web-based deceptions.
  • The Deception is comprised of two parts:
    • Web server
    • Bread crumbs pointing to the web server
  • If an Attacker is already inside your network tries to find internal vulnerable servers, as long as you have deployed web deceptions – Illusive will generate an alert for any interaction with the web server.
  • By examining the forensic evidence you’ll be able to determine if the exploitation attempt was related to the “Spring4Shell” vulnerability.
    • Just look for the strings of the relevant format in the request headers tab.
    • Or you can download the pcap file to see the entire network traffic involved in the alert.

How does it look?

Related Resources

  • Analyst Report, Whitepaper

    Analyzing Identity Risks (AIR) Research Report

  • Threat Research Blog

    Preventing BlackMatter Ransomware from Encryption of Available Remote Share

  • Illusive Blog

    Log4j Vulnerability – An Important Reminder to “Assume Breach”

  • Illusive Blog

    Identity is the New Perimeter: How to Enable Zero Trust Security with Illusive and Microsoft