AFM Protocol Custom Signatures for Spring4Shell and Spring_Cloud (CVE-2022-22963 and -22965)

Intro

There is a fair amount of hype surrounding CVE-2022-22963 "Remote code execution in Spring Cloud Function by malicious Spring Expression" and CVE-2022-22965 "Spring Framework RCE via Data Binding on JDK 9+" but sometimes hype drives job requirements...

If you are in a position where you have to be able to detect exploit attempts vs. the VMWare Spring framework (whether or not that framework is in use in your environment), AFM Protocol Inspection can help.

Here are some signatures ported from yara signatures published by Neo23x0. To add them to your configuration, go into tmsh and switch to the security > protocol-inspection > signature context and enter these create commands.

create EXPL_POC_SpringCore_0day_Indicators_1 description "SpringCore 0day Indicators vs VMWare Spring" sig "content:\"java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di\";" service http direction to-server attack-type "successful-admin" documentation "attribution for detection pattern = Florian Roth aka Neo23x0" reference-links "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement https://twitter.com/vxunderground/status/1509170582469943303 https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar https://tanzu.vmware.com/security/cve-2022-22965" references "CVE-2022-22965 Spring4Shell"

create EXPL_POC_SpringCore_0day_Indicators_2 description "SpringCore 0day Indicators vs VMWare Spring" sig "content:\"?pwd=j&cmd=whoami\";"service http direction to-server attack-type "successful-admin" documentation "attribution for detection pattern = Florian Roth aka Neo23x0" reference-links "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement https://twitter.com/vxunderground/status/1509170582469943303 https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar https://tanzu.vmware.com/security/cve-2022-22965" references "CVE-2022-22965 Spring4Shell"

create EXPL_POC_SpringCore_0day_Indicators_3 description "SpringCore 0day Indicators vs VMWare Spring" sig "content:\".getParameter(%22pwd%22)\";" service http direction to-server attack-type "successful-admin" documentation "attribution for detection pattern = Florian Roth aka Neo23x0" reference-links "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement https://twitter.com/vxunderground/status/1509170582469943303 https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar https://tanzu.vmware.com/security/cve-2022-22965" references "CVE-2022-22965 Spring4Shell"

create EXPL_POC_SpringCore_0day_Webshell_1 description "SpringCore 0day Webshell vs VMWare Spring" sig "content:\".getInputStream(); int a = -1; byte[] b = new byte]2048]\";"service http direction to-server attack-type "successful-admin" documentation "attribution for detection pattern = Florian Roth aka Neo23x0" reference-links "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement https://twitter.com/vxunderground/status/1509170582469943303 https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar https://tanzu.vmware.com/security/cve-2022-22965" references "CVE-2022-22965 Spring4Shell"

create EXPL_POC_SpringCore_0day_Webshell_2 description "SpringCore 0day Webshell vs VMWare Spring" sig "content:\"if(\"j\".equals(request.getParameter(\"pwd\")\";"service http direction to-server attack-type "successful-admin" documentation "attribution for detection pattern = Florian Roth aka Neo23x0" reference-links "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement https://twitter.com/vxunderground/status/1509170582469943303 https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar https://tanzu.vmware.com/security/cve-2022-22965" references "CVE-2022-22965 Spring4Shell"

Here are two more that I couldn't get past our platform's input validation. You'll have to type the first part in yourselves, from create through the sig. You can copy the boilerplate from service to the end from the other signatures. I apologize for the inconvenience, but I thought it was worth getting this article out while the topic was still relevant. You could also copy the detect logic from https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar rule EXPL_POC_SpringCore_0day_Indicators_Mar22_1, string $x4 and rule EXPL_POC_SpringCore_0day_Webshell_Mar22_1, string $x3.

two signatures the website won't let me add

References

https://community.f5.com/t5/technical-articles/what-are-the-spring4shell-vulnerabilities/ta-p/294084

https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar

https://tanzu.vmware.com/security/cve-2022-22963

https://tanzu.vmware.com/security/cve-2022-22965