DEV Community

Cover image for Apache Commons Text RCE Vulnerability Analysis - CVE-2022-42889
TutorialBoy
TutorialBoy

Posted on

Apache Commons Text RCE Vulnerability Analysis - CVE-2022-42889

Introduction

Apache Commons Text is a low-level library for performing various text operations such as escaping, computing string differences, and replacing placeholders in text with values ​​looked up by interpolators.

Vulnerability Description

On October 13, 2022, the official release of the Apache Commons Text vulnerability notice, vulnerability number: CVE-2022-42889. Apache Commons Text performs variable interpolation, allowing dynamic evaluation and expansion of attributes. The standard format for interpolation is "${prefix: name}", where "prefix" is used to locate the interpolation. An instance of org.apache.commons.text.lookup.StringLookup. From version 1.5 to 1.9, an attacker can construct a malicious text that causes Apache Commons Text to execute arbitrary malicious code when it is parsed.

Image description

Scope

1.5 <= Apache Commons Text <= 1.9

Vulnerability Analysis

Environment Build

IDEA imports dependencies through Maven

pom.xml is as follows:

<dependencies>
    <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-configuration2</artifactId>
        <version>2.7</version>
    </dependency>
    <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-text</artifactId>
        <version>1.9</version>
    </dependency>
    <dependency>
        <groupId>org.apache.commons</groupId>
        <artifactId>commons-lang3</artifactId>
        <version>3.12.0</version>
    </dependency>
</dependencies>
Enter fullscreen mode Exit fullscreen mode

Test code:

package org.text;

import org.apache.commons.text.StringSubstitutor;

public class Main {
    public static void main(String[] args) {

        StringSubstitutor interpolator = StringSubstitutor.createInterpolator();
//        String payload = interpolator.replace("${script:js:new java.lang.ProcessBuilder(\"calc\").start()}");
        String payload = "${script:js:new java.lang.ProcessBuilder(\"calc\").start()}";
        interpolator.replace(payload);
    }
}
Enter fullscreen mode Exit fullscreen mode

JDK version 1.8

Dynamic Analysis

Before code analysis, let's take a look at the content in the official user manual ( https://commons.apache.org/proper/commons-text/userguide.html ).

Image description

This demonstrates the usage of using the default lookup StringSubstitutor to construct a complex string, and the key point in the vulnerability description is to perform variable interpolation, and its standard format is ${prefix:name}.

Refer to the documentation of StringLookupFactory ( http://commons.apache.org/proper/commons-text/apidocs/org/apache/commons/text/lookup/StringLookupFactory.html )

Image description

Since version 1.5, string search of script type can be satisfied, but it is not included by default.

Target the code to

org.apache.commons.text.lookup.InterpolatorStringLookup#lookup

Image description

Here the lookup method will extract the part after ":" as the prefix value, and then extract its corresponding lookup instantiation object according to stringLookupMap.

into org.apache.commons.text.lookup.ScriptStringLookup#lookup.

Image description

Call ScriptEngineManager to execute code.

Understand the second half of the vulnerability, set a breakpoint, and dynamically debug it to see how to call the lookup method.

Image description

org.apache.commons.text.StringSubstitutor#createInterpolator

Image description

Here is to instantiate StringSubstitutor and pass

StringLookupFactory.INSTANCE.interpolatorStringLookup() into it

org.apache.commons.text.StringSubstitutor#replace

Image description

Convert the type of the parameter, and then pass it to the substitute for processing, and then it will go through a series of judgment checks.

Image description

Finally, pass in resolveVariable

org.apache.commons.text.StringSubstitutor#resolveVariable

Image description

After the value of getStringLookup, it will directly call the lookup method in org.apache.commons.text.lookup.InterpolatorStringLookup.

Image description

At this point, as analyzed at the beginning, the lookup method will extract the part after ":" as the prefix value, then extract its corresponding lookup instantiation object according to the stringLookupMap, and finally execute the code by calling ScriptEngineManager.

Vulnerability

Image description

Of course, many bigwigs on the Internet have analyzed this vulnerability. This vulnerability is actually different from Log4Shell (CVE-2021-44228) because, in Log4Shell, string interpolation can be performed from the log message body, which usually contains Untrusted input. In the Apache Common Text issue, the relevant methods are explicitly used to perform string interpolation and are clearly documented, so it is less likely that an application will inadvertently pass untrusted input without proper validation.

Top comments (0)