In this month of our Top 5 CVEs, we will cover a few web-based CVEs that have a high impact and low complexity in execution. These vulnerabilities were selected based on their prevalence as well as the availability of public exploits.
The following CVEs will be covered on this month’s blog:
- CVE-2022-22965 – Spring4Shell
- CVE-2022-0847 – Linux Dirty Pipe
- CVE-2022-0441 – MasterStudy LMS WordPress Plugin – Unauthenticated Admin User Creation
- CVE-2022-0824 – Webmin Broken Access Control and Remote Code Execution
- CVE-2022-24706 – CouchDB Remote Privilege Escalation
CVE-2022-22965 – Spring4Shell
March 2022, a vulnerability was discovered by VMWare in the Java Spring Framework affecting Spring applications running Java 9. This vulnerability was named “Spring4Shell” as a play on Log4Shell, a vulnerability that was discovered the previous year 2021. The CVE identifier CVE-2022-22965 was assigned to this vulnerability.
This vulnerability allows attackers to execute remote command execution by uploading a web shell. The attack abuses data transmitted in HTTP requests and allows them to upload a malicious .jsp file by overwriting the Tomcat logging configuration. This can be easily achieved by using publicly available scripts and exploits.
This vulnerability affects JDK version 9 and newer.
References:
https://kb.vmware.com/s/article/88203
https://nvd.nist.gov/vuln/detail/cve-2022-22965
CVE-2022-0847 – Linux Dirty Pipe
Similar to the”Dirty Cow” exploit, Dirty Pipe (CVE-2022-0847) is a Linux kernel vulnerability that grants a low-priv user the ability to modify read-only files. This is due to the system call “splice()” which can be abused to splice a page into a pipe and overwriting the contents on the page.
Attackers can arbitrarily overwrite files on the OS such as the /etc/passwd file and grant compromised low privileged accounts to have elevated privilege and gain access on the machine as admin or root.
This vulnerability affects Linux Kernel versions 5.8 to 5.16.10, 5.15.24, and 5.10.101.
References:
https://nvd.nist.gov/vuln/detail/cve-2022-0847
CVE-2022-0441 – MasterStudy LMS WordPress Plugin – Unauthenticated Admin User Creation
The MasterStudy LMS is a WordPress plugin for online learning platforms. The plugin lets you build and sell courses on your website. A plugin before v2.7.6 is susceptible to a critical vulnerability which can allow the creation of admin accounts without authentication. This is due to an issue with the plugin not validating certain parameters when registering a new account.
There are multiple ways to run this exploit manually and using publicly available scripts. An attacker can also use tools such as Metasploit to easily carry out this attack.
Below is an example code of the json post data that is requested which adds a user to the admin group.
Source: msf module – auxiliary/admin/http/wp_masterstudy_privesc
json_post_data = JSON.pretty_generate({
‘user_login’ => username,
‘user_email’ => email,
‘user_password’ => password,
‘user_password_re’ => password,
‘become_instructor’ => ”,
‘privacy_policy’ => true,
‘degree’ => ”,
‘expertize’ => ”,
‘auditory’ => ”,
‘additional’ => [],
‘additional_instructors’ => [],
‘profile_default_fields_for_register’ => {
‘wp_capabilities’ => {
‘value’ => { ‘administrator’ => 1 }
}
}
})
References:
https://nvd.nist.gov/vuln/detail/cve-2022-0441
Metasploit Module Source Code:
CVE-2022-0824 – Webmin Broken Access Control and Remote Code Execution
Webmin is a free, open-source application and web control panel for Unix system administrators that can be accessed through any modern web browser. The interface allows you to setup user accounts, configure DNS, file sharing and more.
This year, a critical vulnerability was found on Webmin servers. A version of Webmin, v1.1984 has a vulnerable File Manager module that allows any unauthenticated low privilege user to access the File Manager module and allow them to execute malicious file uploads and gaining Remote Code Execution by crafting a payload via a .cgi file.
At the time of writing this blog, there are 17k+ downloads a week on sourceforge.net
The attack is achieved by the following steps:
- Attacker uses a web proxy such as Burpsuite or OWASP Zap to capture requests
- Register and log in as a low privileged user
- Create a .cgi file with a reverse shell payload
- Make the file available for download on an accessible server
- Setup a listener on the attacker machine
- Upload the malicious file via a POST request. (The file manager on webmin will download the malicious file)
- Access the file on the website folder to trigger the exploit and gain shell
The ease of this attack is not very difficult and can be executed on unpatched or out of date Webmin versions.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2022-0824
CVE-2022-24706 – CouchDB Remote Privilege Escalation
A critical vulnerability discovered by Alex Vandiver was found on Apache CouchDB prior to 3.2.2 which allowed an attacker to perform a privilege escalation technique with low complexity. The attacker would simply access an improperly secured default installation without authentication and gain elevated privileges.
The straightforwardness of this exploit makes it on our list as this does not require special tools and simply uses publicly accessible scripts. This affects all versions of CouchDB before 3.2.1 and affects the open epmd port 4369 and port 5984.
“Installations that do not expose the separate distribution port to external access are not vulnerable.”
Reference:
