Skip to content

Instantly share code, notes, and snippets.

@haproxytechblog
Last active April 11, 2022 17:34
Show Gist options
  • Save haproxytechblog/44a62f8b8ee8aa0398bb9b4dd10fdcad to your computer and use it in GitHub Desktop.
Save haproxytechblog/44a62f8b8ee8aa0398bb9b4dd10fdcad to your computer and use it in GitHub Desktop.
CVE-2022-22965 Spring4Shell Remote Code Execution Mitigation
frontend fe_main
...
option http-buffer-request
http-request deny if { query -i -m sub class.module.classLoader.resources.context.parent.pipeline springframework.context.support.FileSystemXmlApplicationContext }
http-request deny if { req.hdrs -i -m sub class.module.classLoader.resources.context.parent.pipeline springframework.context.support.FileSystemXmlApplicationContext }
http-request deny if { req.body -i -m sub class.module.classLoader.resources.context.parent.pipeline springframework.context.support.FileSystemXmlApplicationContext }
Include /etc/hapee-2.4/modsec.rules.d/crs-setup.conf
include modsecurity/crs-setup.conf
SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_BODY|REQUEST_HEADERS|XML:/*|XML://@* \
"@rx (?:class[.]module[.]classLoader[.]resources[.]context[.]parent[.]pipeline|springframework[.]context[.]support[.]FileSystemXmlApplicationContext)" \
"id:944260,\
phase:2,\
deny,\
t:urlDecodeUni,\
msg:'Remote Command Execution: Malicious class-loading payload',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
tag:'application-multi',\
tag:'language-java',\
tag:'platform-multi',\
tag:'attack-rce',\
tag:'OWASP_CRS',\
tag:'capec/1000/152/248',\
tag:'PCI/6.5.2',\
tag:'paranoia-level/2',\
ver:'OWASP_CRS/3.4.0-dev',\
severity:'CRITICAL',\
setvar:'tx.rce_score=+%{tx.critical_anomaly_score}',\
setvar:'tx.anomaly_score_pl2=+%{tx.critical_anomaly_score}'"
curl -v -d "class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat=" http://localhost
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment