Spring Cloud Function SpEL Injection (CVE-2022-22963)

Introduction

On March 24, 2022, Pivotal patched a critical server-side code injection vulnerability (Spring Expression Language injection) in Spring Cloud Function, potentially leading to system compromise. Spring is the popular open-source Java framework.

The Vulnerability

A SpEL expression could be received via the "spring.cloud.function.routing-expression" HTTP header to facilitate application routing.

There was no check in the code whether the expression to be evaluated could be received via a header. To fix the issue, a separate headerEvalContext that is a SimpleEvaluationContext was added.

Reference: https://www.akamai.com/blog/security/spring-cloud-function

In this lab environment, the user is going to get access to a low-privileged user in an Ubuntu CLI instance. The root user on the same Ubuntu instance is hosting an application leveraging Spring Cloud Function 3.2.2 that is vulnerable to CVE-2022-22963 and is accessible from the tools installed on the Ubuntu machine at http://127.0.0.1:8080.

Objective: Exploit the SpEL Code Injection vulnerability in the deployed application to perform privilege escalation and retrieve the flag from the /root/FLAG file.

Acknowledgements:
The setup code is based on the following Github repository: https://github.com/vulhub/vulhub/tree/master/spring/CVE-2022-22963

Instructions:

• This lab is dedicated to you! No other users are on this network :) 

• Once you start the lab, you will have access to a root terminal of a Kali instance

• Your Kali has an interface with IP address 192.X.Y.Z. Run "ip addr" to know the values of X and Y.

• The target server should be located at the IP address 192.X.Y.3. It can be accessed using the hostname demo.ine.local. 

• Do not attack the gateway located at IP address 192.X.Y.1