Posted on

Spring4Shell : Explained With POC

Hello, aspiring Ethical Hackers. In this article you will learn about Spring4shell, a new zero-day vulnerability that has been discovered in Spring Framework. Spring Framework is an open-source application framework for Java and is normally deployed with Apache Tomcat servers.

Vulnerability & Impact

There are two vulnerabilities affecting Spring Framework, one is in Spring Core and second is in Spring Cloud. The Spring Core RCE vulnerability impacts Java class objects. The vulnerability in Spring Core has been given name Spring4shell in the lines of Log4shell as both vulnerabilities affect a library. Although, it took its name from Log4shell, it is not as dangerous as its namesake.

This vulnerability affects all versions of Spring Core Framework running on JDK versions 9 and after. This vulnerability is tracked as CVE-2022-22965. There is another RCE in Spring Cloud Function versions <=3.1.6 and <=3.2.2.

Proof Of Concept

It’s time to see the exploitation of Spring4shell practically. Let’s create a new directory named spring4shell.

Spring4shell 1

Clone the repository shown in the image below. This repository contains both vulnerable docker image and exploit.

Spring4shell 2

Build the Docker image vulnerable to spring4shell as shown below.

Spring4shell 3
Spring4shell 4

You can check if the target is set or not by visiting the URL in browser.

Spring4shell 5 1024x401

If you get the above message, the target is ready. Run the exploit. The python exploit uploads a java web shell on the target after exploiting vulnerability.

spring4shell

The exploit completed successfully. The web shell can be accessed at above highlighted address.

Spring4shell 8
Spring4shell 9

The POC is succesful,

Posted on

PrintNightmare, Privilege Escalation in Powershell

PrintNightmare is a critical vulnerability affecting the Microsoft Windows operating systems. The recently disclosed vulnerability is present in the print spooler service of Microsoft Windows. The printer spooler service is used for printing services and is turned on by default. The versions of Windows vulnerable to PrintNightmare include Windows 7 to Windows 10 and windows Server 2008 to the latest version of Windows Servers.

The PrintNightmare vulnerability has two variants : one is enabling remote code execution (CVE-2021-34527) and the other privilege escalation (CVE-2021-1675). In this article, readers will see a demonstration of exploiting the privilege escalation vulnerability in PrintNightmare.
For this demonstration, we will use Windows 10 version 1809. The Powershell Script we used in this demo can be downloaded from Github.

In this scenario, imagine I already have access to the target machine as a user with low privileges. Let me demonstrate it to you. The first thing I need to confirm is whether the printer spooler service is running on the target system or not. This can be done using powershell command “Get-Service -Name “spooler”“.

PNm Powershell Lpe 1

The print spooler service is running. Now I can exploit it. Before that let me show you that I am a user with limited privileges i.e as “user 1” with very limited privileges.

PNm Powershell Lpe 3
PNm Powershell Lpe 4

Next, I already downloaded the Powershell script I need to exploit the Printnightmare vulnerability .So I moved to the Downloads folder where the Powershell script is saved. Once I am inside that folder, I run the command

Import-Module .\ <script Name>“as shown below.

PNm Powershell Lpe 5

Once the Powershell module is imported, I can execute the script with command
Invoke-Nightmare -NewUser “<username to create >” -NewPassword <password for that new user> DriverName “PrintMe”
This command will create a new user with administrator privileges.

How to exploit printnightmare

In the image above, you can see the existence of new user named “hacker” which I created. Now, let’s check the privileges of this user.

PNm Powershell Lpe 7

As readers can see, the new user I created belongs to the local administrators group. I reboot the system and try to login as that user.

PNm Powershell Lpe 9 1024x576
PNm Powershell Lpe 10

The exploitation is successful.

Posted on

Shellshock vulnerability for beginners

Hello, aspiring Ethical Hackers. In this blogpost, you will learn about shellshock vulnerability. This vulnerability was disclosed on 24 September 2014 but it is still active now although exploitation is not as effective as in 2014. Just like Heartbleed vulnerability, this vulnerability affected millions of systems around the world and is hence considered a critical vulnerability. This vulnerability was introduced in 1989.

What is Shellshock vulnerability?

Shellshock

Shellshock vulnerability effects Bash which is the default command line interpreter of many UNIX-based systems. Hence it is also known as Bashdoor. It is an arbitrary code execution vulnerability that allows attackers to execute commands on the target that they cannot execute normally.

How is this possible? This is possible because Bash has a “function export” feature using which one Bash process can share command scripts with other Bash processes. In the “function_export” feature, the command script to be executed is encoded and placed in a table. This table is known as environment variable list and is shared between all Bash processes.

Every new Bash process started will scan this table for the encoded commands and then execute them. However, the new process cannot verify if this command came from another Bash process or for that matter, it is even a proper command. So, if the attacker can manipulate this environmental variable list, he can successfully execute arbitrary commands.

Practical Walkthrough

Although, Bash is present in Linux systems and MacOS, there are very less chances of these systems being exposed to the internet. However, there are some special cases like CGI based webservers, OpenSSH servers, DHCP servers, Qmail server and UNIX based Firewalls.

For example, all versions of IPFire firewall before 2.15 (including this one ) are vulnerable to this shellshock vulnerability. Now let’s see how to exploit this vulnerability using Metasploit. This exploit needs credentials. Start Metasploit and load the exploit as shown below.

shellshock vulnerability

Set the required options as shown below. Use check command to see if the target is vulnerable.

Shellshock2

Set the command you want to run on the target machine. Let’s set the command to view the “/etc/passwd” file of our target. You can set any command you want to run.

Shellshock3

As you can see, the command executed successfully to give us a the output.

Real World Examples

The exploitation of Shellshock vulnerability started within hours of its disclosure. Let’s see some real-world examples of these attacks.

wopbot botnet:

shellshock vulnerability was mostly exploited to deploy botnets. One such botnet “wopbot” was used to conduct a DDOS attack against Akamai technologies and to scan the DOD (Department of Defense) of USA.

Thank-Rob:

Another Botnet “Thank-Rob” which was a network of Shellshock exploited machines was detected by Kaspershy targeting three exclusive targets.

Yahoo:

It is assumed that Yahoo server were breached in 2014 by exploiting shellshock. Yahoo, however denied it. There were other Botnet tunning to exploiting shellshock vulnerable devices and by the end of the year, Cloudflare reported that it detected around 1.5 million attacks and probes per day that were related to shellshock vulnerability.

Mitigation and Prevention

A patched version of Bash “bash-025” was released to mitigate shellshock vulnerability. However, other shellshock vulnerabilities soon followed. A new version of bash “bash43-027” was released to patch all shellshock vulnerabilities.