Breaking Down CVE-2022-42889: How Text Interpolation Went Rogue

‍

In this blog we will explore CVE-2022-42889, a critical vulnerability found in Apache commons text. In October 2022 Apache Commons Text team disclosed that versions of this library from 1.5 up to 1.9 are vulnerable to a critical and easy to exploit remote code execution on servers and gain unauthorized access to sensitive data. And due to this CVE was assigned a CVSS score of 8.1. This CVE is commonly known as Text4Shell.

‍

Apache Commons Text

A low-level library called Apache Commons Text may be used to do a variety of text operations, including escaping, figuring out string differences, and replacing text placeholders with values that have been found using interpolators. Certain of the available interpolators have the potential to cause network access or code execution when used with the string replacement capability. This is intentional, but it also implies that an attacker may activate such interpolators if an application included user input in the text provided to the substitute without properly sanitizing it. This library is mainly used for string manipulation, random text generation, string tokenization, text interpolation, string comparisons, etc.

‍

Technical Details of the CVE

Text interpolation, also known as string interpolation or variable substitution, is a technique commonly used in software development to create strings that contain placeholders for variable values. These placeholders are then replaced with actual values at runtime, resulting in fully constructed strings. Value lookup is by default provided by Apache Commons Text using an interpolator and strings that are formed dynamically. The StringSubstitutor API is the primary source of the problem.

According to Apache documentation, “The class is used to substitute variables within a string by values. StringSubstitutor class takes a piece of text and substitutes all the variables within it.”

"${prefix: name}" is the standard format for interpolation/substitution, where "name" refers to the strings whose values are processed by the lookup techniques and "prefix" is the lookup key displayed in the image below.

When the default interpolators (StringSubstitutor.createInterpolator()) are used with the StringSubstitutor, string lookups may be performed, which might result in arbitrary code execution, especially if data that isn't trustworthy enters the StringSubstitutor.either StringSubstitutor or replace().An attacker can cause arbitrary code execution by using the ScriptStringLookup to initiate replaceIn() methods.

The affected interpolators are:

• script: used to evaluate expressions using the JVM script execution engine (javax.script)

• dns: used to resolve DNS records

• url: used to request information from a URL

Other interpolation techniques offer means for code execution, network access, and remote server communication. Though they are intended features, the aforementioned capabilities are not available by default until the additional features are set. Without input validation, the user's input is sent to StringSubstitutor. Consequently, attackers are able to execute OS instructions by invoking string lookup techniques such as "script."

‍

Exploitation

Exploiting this vulnerability is fairly straightforward but identifying the presence and favorability for exploitation is quite difficult for a black-box assessment of any target.
For any application to be vulnerable to text4shell, these conditions should be met by the target application:

• Must be importing org.apache.commons.text.StringSubstitutor and using replace() method.
• Version used should be 1.5 to 1.9 for above library
• Java version 15 or less should be used

If the above conditions are met, then we need to find a point of injection where we can put our payload. Injection points can be anything like text fields, search bars, headers, query or body parameters, etc.

After finding the injection point one can use the below payloads to exploit the vulnerability in different ways:

• RCE
  ${{script:javascript:java.lang.Runtime.getRuntime().exec('<command_here>')}}

• SSRF
  ${{url:UTF-8:<your server url>}}

Either we can exploit manually or we can also use publicly available exploits like this:
https://github.com/gustanini/CVE-2022-42889-Text4Shell-POC

‍

Mitigations

• Update apache commons text to latest version.

• Use java version 15 or above.

• Sanitize the user input.

• Preventing use of vulnerable interpolators.

• Keeping an eye out for signs of compromise.

‍

References

• https://www.logpoint.com/en/blog/text4shell-detecting-exploitation-of-cve-2022-42889/
• https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECOMMONS-3043138
• https://security.apache.org/blog/cve-2022-42889/
• https://github.com/gustanini/CVE-2022-42889-Text4Shell-POC

‍