The Spring project now released a blog post acknowledging the issue so far known as "sping4shell":
The announcement confirms some of the points made yesterday:
The vulnerable libraries are not as widely used as log4j, and exploitation does depend a bit more on the application. But just like for log4j, we will likely see exploits evolving and spreading quickly for some popular vulnerable applications.
We started seeing some exploit attempts that match the general "Spring4Shell" pattern early on Wednesday (around 09:20 UTC). The first exploit from one of our larger honeypots and came from 18.104.22.168. It was directed at a honeypot listening on port 9001, not the "usual" tomcat port 8080.
The currently published exploit will change the logging configuration, writing a file to the application's root directory. Next, the attacker will send requests that contain code to be written to this new "log file". Finally, the attacker will access the log file with a browser to execute the code. The code in the currently published exploit does create a simple webshell:
[beautified code to make it more readable]
Files like this, present in the application's directory, could be used as an indicator of compromise. The exploit alters the logging configuration. After the exploit is executed, all access logs will be appended to this script, and these logs are also sent back to the attacker as the attacker accesses the script. A typical filename is "tomcatwar.jsp", but of course the name of the parameters, and the filename, are easily changed.
A typical request looking for the web shell will look like:
We have seen attempts to install the web shell, as well as attempts to access existing webshells. Couple IPs that "stick out":
I have also seen the filename "wpz.jsp" used, in particular by 22.214.171.124. Some swear words have also shown up in filenames used by specific IPs.
Please note that we are not sure if these attempts actually work. They are detected by honeypots that are not actually vulnerable to these exploits.
Just like for log4j, we do see some scanning for vulnerable hosts by attempting to execute simple commands like 'whoami' or 'cat /etc/passwd'. The level of activity appears to be much less than what we had for log4shell. Likely because there isn't a simple "one size fits all" exploit, and exploitability depends on the application, not just using a particular framework.Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022
Mar 31st 2022
|Thread locked Subscribe||
Mar 31st 2022
1 month ago