Better Spring4Shell detection logic #593
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…the http client doesn't redirect in response of this status code
Co-authored-by: Savio Sisco <25590129+lokiuox@users.noreply.github.com>
Co-authored-by: Savio Sisco <25590129+lokiuox@users.noreply.github.com>
…oogle/tsunami/plugins/detectors/rce/SlurmExposedRestApiDaemonDetector.java Co-authored-by: Savio Sisco <25590129+lokiuox@users.noreply.github.com>
…oogle/tsunami/plugins/detectors/rce/SlurmExposedRestApiDaemonDetector.java Co-authored-by: Savio Sisco <25590129+lokiuox@users.noreply.github.com>
…oogle/tsunami/plugins/detectors/rce/SlurmExposedRestApiDaemonVuLnDetectorTest.java Co-authored-by: Savio Sisco <25590129+lokiuox@users.noreply.github.com>
…oogle/tsunami/plugins/detectors/rce/SlurmExposedRestApiDaemonVuLnDetectorTest.java Co-authored-by: Savio Sisco <25590129+lokiuox@users.noreply.github.com>
…oogle/tsunami/plugins/detectors/rce/SlurmExposedRestApiDaemonVuLnDetectorTest.java Co-authored-by: Savio Sisco <25590129+lokiuox@users.noreply.github.com>
…oogle/tsunami/plugins/detectors/rce/SlurmExposedRestApiDaemonVuLnDetectorTest.java Co-authored-by: Savio Sisco <25590129+lokiuox@users.noreply.github.com>
…oogle/tsunami/plugins/detectors/rce/SlurmExposedRestApiDaemonVuLnDetectorTest.java Co-authored-by: Savio Sisco <25590129+lokiuox@users.noreply.github.com>
…oogle/tsunami/plugins/detectors/rce/SlurmExposedRestApiDaemonDetector.java Co-authored-by: Savio Sisco <25590129+lokiuox@users.noreply.github.com>
…oogle/tsunami/plugins/detectors/rce/SlurmExposedRestApiDaemonDetector.java Co-authored-by: Savio Sisco <25590129+lokiuox@users.noreply.github.com>
…evance of its finding is not good enough for Tsunami. PiperOrigin-RevId: 762287081 Change-Id: Id1dfaca8ee52afbe750e6e74a3954fdb8162fb05
PiperOrigin-RevId: 764198246 Change-Id: I8dd8cecce848cc7b256f8b685dba80e1ef6080b2
PiperOrigin-RevId: 764208993 Change-Id: Iea1dd3ac363ee5f0dfca743cc6403b84773ab62b
…d plugins. PiperOrigin-RevId: 764211323 Change-Id: Ie7c45a285bf3556d635033c4d64489bb705d2bea
PiperOrigin-RevId: 764215926 Change-Id: Iffb919c72488ccd6bdcda4cff328cd6cbd7e3f14
…ling. PiperOrigin-RevId: 766839031 Change-Id: Iba65a6037658f00099341418737f1da0324d88e4
PiperOrigin-RevId: 767010226 Change-Id: I8e9eb69e3df58fdbbfe40f8ecce3099a0d272a56
…nitions. PiperOrigin-RevId: 767019654 Change-Id: Ife9811fb840132df44d6de8d3bd848d33a0e94aa
PiperOrigin-RevId: 767472307 Change-Id: I844355674f7039334bf29e07d93344ee01edd5d8
PiperOrigin-RevId: 767473096 Change-Id: Ia64973a17b919385c4e58b921e0a2a1d4af80454
… `getAdvisories()`. PiperOrigin-RevId: 770967379 Change-Id: Ic274d60f5975e7bec3add0a97e9e4b134b3dde19
PiperOrigin-RevId: 770967498 Change-Id: If609ea74a35ffc724f803d94abf88dc9a8619429
PiperOrigin-RevId: 770967533 Change-Id: I08035c65d6cdc04a14f42406312cae7036a71eab
PiperOrigin-RevId: 770967567 Change-Id: Ie7a7e804be28069b8469efc26b5eca424a11debb
…on when dealing with protos. PiperOrigin-RevId: 772042564 Change-Id: Ic57a2aa7171c1c7c6445af10da50ec8d71895616
PiperOrigin-RevId: 772043059 Change-Id: I7d80845c337a565558784aac2d18ec0795c9d738
Collaborator
|
@lokiuox Could you rebase the branch to resolve the conflicts? |
…security-scanner-plugins into spring4shell_detection
Collaborator
Author
|
This PR is being closed due to conflicts with the main branch. New PR here: #650 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
15 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New PR here: #650
Hello!
This PR implements better detection logic for the Spring4Shell (CVE-2022-22965) vulnerability.
Also added a testbed here: google/security-testbeds#121
Details
Previously, the detector checked the response of two HTTP requests to determine whether a target was vulnerable, but this lead to false positives.
The new implementation still uses the old logic as a preliminary check to find potentially vulnerable pages, on which the full exploit is then attempted. The exploit consists of changing the log configuration in order to drop a
.jspfile in Tomcat'sROOTwebapp directory.The dropped
.jsphas a randomized name and simply prints out a string generated using Tsunami'sPayloadGenerator. There is also some extra code which make the script self-delete when visited with thedelete=1URL parameter.After dropping the
.jspfile, the log configuration is also set to point to/dev/null, in order to prevent more files to be accidentally created and left on the server.~