cancel
Showing results for 
Search instead for 
Did you mean: 
James_Affeld
F5 Employee
F5 Employee

Intro

There is a fair amount of hype surrounding CVE-2022-22963 "Remote code execution in Spring Cloud Function by malicious Spring Expression" and CVE-2022-22965 "Spring Framework RCE via Data Binding on JDK 9+" but sometimes hype drives job requirements...

If you are in a position where you have to be able to detect exploit attempts vs. the VMWare Spring framework (whether or not that framework is in use in your environment), AFM Protocol Inspection can help.

Here are some signatures ported from yara signatures published by Neo23x0. To add them to your configuration, go into tmsh and switch to the security > protocol-inspection > signature context and enter these create commands.

create EXPL_POC_SpringCore_0day_Indicators_1 description "SpringCore 0day Indicators vs VMWare Spring" sig "content:\"java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di\";" service http direction to-server attack-type "successful-admin" documentation "attribution for detection pattern = Florian Roth aka Neo23x0" reference-links "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement https://twitter.com/vxunderground/status/1509170582469943303 https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar https://tanzu.vmware.com/security/cve-2022-22965" references "CVE-2022-22965 Spring4Shell"

create EXPL_POC_SpringCore_0day_Indicators_2 description "SpringCore 0day Indicators vs VMWare Spring" sig "content:\"?pwd=j&cmd=whoami\";"service http direction to-server attack-type "successful-admin" documentation "attribution for detection pattern = Florian Roth aka Neo23x0" reference-links "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement https://twitter.com/vxunderground/status/1509170582469943303 https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar https://tanzu.vmware.com/security/cve-2022-22965" references "CVE-2022-22965 Spring4Shell"

create EXPL_POC_SpringCore_0day_Indicators_3 description "SpringCore 0day Indicators vs VMWare Spring" sig "content:\".getParameter(%22pwd%22)\";" service http direction to-server attack-type "successful-admin" documentation "attribution for detection pattern = Florian Roth aka Neo23x0" reference-links "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement https://twitter.com/vxunderground/status/1509170582469943303 https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar https://tanzu.vmware.com/security/cve-2022-22965" references "CVE-2022-22965 Spring4Shell"

create EXPL_POC_SpringCore_0day_Webshell_1 description "SpringCore 0day Webshell vs VMWare Spring" sig "content:\".getInputStream(); int a = -1; byte[] b = new byte]2048]\";"service http direction to-server attack-type "successful-admin" documentation "attribution for detection pattern = Florian Roth aka Neo23x0" reference-links "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement https://twitter.com/vxunderground/status/1509170582469943303 https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar https://tanzu.vmware.com/security/cve-2022-22965" references "CVE-2022-22965 Spring4Shell"

create EXPL_POC_SpringCore_0day_Webshell_2 description "SpringCore 0day Webshell vs VMWare Spring" sig "content:\"if(\"j\".equals(request.getParameter(\"pwd\")\";"service http direction to-server attack-type "successful-admin" documentation "attribution for detection pattern = Florian Roth aka Neo23x0" reference-links "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement https://twitter.com/vxunderground/status/1509170582469943303 https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar https://tanzu.vmware.com/security/cve-2022-22965" references "CVE-2022-22965 Spring4Shell"

Here are two more that I couldn't get past our platform's input validation. You'll have to type the first part in yourselves, from create through the sig. You can copy the boilerplate from service to the end from the other signatures. I apologize for the inconvenience, but I thought it was worth getting this article out while the topic was still relevant. You could also copy the detect logic from https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar rule EXPL_POC_SpringCore_0day_Indicators_Mar22_1, string $x4 and rule EXPL_POC_SpringCore_0day_Webshell_Mar22_1, string $x3.

two signatures the website won't let me addtwo signatures the website won't let me add

References

https://community.f5.com/t5/technical-articles/what-are-the-spring4shell-vulnerabilities/ta-p/294084

https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar

https://tanzu.vmware.com/security/cve-2022-22963

https://tanzu.vmware.com/security/cve-2022-22965

 

Comments

If this was LinkedIn, I'd hit the "Insightful" button. Awesome!

PSilva
Community Manager
Community Manager
Version history
Last update:
‎05-Apr-2022 14:21
Updated by: