Scan systems and docker images for potential spring4shell vulnerabilities.

spring4shell-scanner

This scanner will recursively scan paths including archives for spring libraries and classes that are vulnerable to CVE-2022-22965 and CVE-2022-22963.

Currently the allow list defines non exploitable versions, in this case spring-beans 5.3.18 and 5.2.20 and spring cloud function context 3.2.3

Scanning multi layered archives

Features

  • scans recursively through all archives in archives in archives in archives etc
  • scan for known spring libraries (sha256 hash)
  • scan for CachedIntrospectionResults.class files
  • fast
  • show related CVE's found by version
  • detects class files with different extensions (eg .ezclass)
  • scans through all layers of local- and remote docker images
  • binary versions available for Windows, Linux and MacOS

References

CVE References
CVE-2022-22965 https://tanzu.vmware.com/security/cve-2022-22965
CVE-2022-22963 https://tanzu.vmware.com/security/cve-2022-22963

Links

Scanning

Usage

Windows

$ spring4shell-scanner.exe {target-path}

Linux / OSX / FreeBSD

$ spring4shell-scanner {target-path}

Docker containers

Using the tool you can now also scan containers:

$ ./spring4shell-scanner scan-image logstash:7.16.1

or local images:

$ ./spring4shell-scanner scan-image --local {sha256|pattern}
$ ./spring4shell-scanner scan-image --local log4shell:latest
$ ./spring4shell-scanner scan-image --local 4949add9e671

# scan all local images
$ ./spring4shell-scanner scan-image --local

Usage

Windows

$ spring4shell-scanner.exe patch {target-path}

Linux / OSX / FreeBSD

spring4shell-scanner patch {target-path}

Build from source

Requirements:

For development

$ git clone "https://github.com/dtact/spring4shell-scanner.git"
$ go build -o ./.builds/spring4shell-scanner ./main.go

Copyright and license

Code and documentation copyright 2022 Remco Verhoef (DTACT).

Code released under the MIT license.

Owner
null
https://github.com/dtact/spring4shell-scanner
Similar Resources

A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.

A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.

Dent More Information If you want to learn more about the techniques utlized in this framework please take a look at this article. Description This fr

Dec 2, 2022

DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

Minify and Secure Docker containers (free and open source!) Don't change anything in your Docker container image and minify it by up to 30x making it

Dec 27, 2022

Scan and analyze OSS dependencies and licenses from compiled Go binaries

Scan and analyze OSS dependencies and licenses from compiled Go binaries

golicense - Go Binary OSS License Scanner golicense is a tool that scans compiled Go binaries and can output all the dependencies, their versions, and

Nov 6, 2022

Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more...

Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more...

Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more... Coded with 💙 by edoardottt. Share on Twitter! P

Dec 25, 2022

Scan your pictures and videos for corruption, and sort them by EXIF or modification time

scanogram Scan your pictures and videos for corruption, and sort them by EXIF or modification time. Introduction This tool is a fast and lightweight s

Dec 2, 2022

A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).

A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin (CVE-2021-26855).

proxylogscan This tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and imperson

Dec 26, 2022

Akuma Scan comes with the purpose of scanning/detecting WAF (Web Application Firewall) on a certain website. Made to be easy, accurate and agile.

.m. ,_ ' ;M; ,;m ` ;M;.

Mar 21, 2022

A port scan and service weakpass brute tool build by golang.

A port scan and service weakpass brute tool build by golang.

A port scan and service weakpass brute tool build by golang.

Jan 5, 2023

A fast tool to scan CRLF vulnerability written in Go

A fast tool to scan CRLF vulnerability written in Go

CRLFuzz A fast tool to scan CRLF vulnerability written in Go Resources Installation from Binary from Source from GitHub Usage Basic Usage Flags Target

Jan 1, 2023
Comments
  • Included matching for CVE-2022-22963

    Included matching for CVE-2022-22963

    DISCLAIMER: I have not done enough research to claim that this will include all vulnerable versions of Spring Cloud Functions.

    Working assumptions have been:

    • The file RoutingFunction.class is the culprit that was patched recently [1]. It shows that a change + test was added to mitigate access to the Java runtime via HTTP headers

    • I pulled all versions from Maven central and scanned for .jar files that have the above file packaged.

      • This does not take into account that some versions might have been not vulnerable
      • It does not take into account that in the past (due to refactoring) a similar bug was present in a different file

    [1] https://github.com/spring-cloud/spring-cloud-function/commit/03db9baee65ba0ddcd2c2cbc1f4ebc3646a6872e

  • Scan works, but output unworkable

    Scan works, but output unworkable

    The scanner seems to work just fine. However, the output this tool produces isn't really suitable for further processing:

    1. There's no built-in feature for logging to a file, which seems like it should be one of the primary use-cases.
    2. There doesn't seem to be a way to log only the vulnerable stuff. I.e. there's no --quiet parameter. It outputs thousands of lines, one for each file scanned. But I think most people are only interested in the actual vulnerable files. Of course you can pipe the output to a filter (i.e. filter on "[!]"), but then there's still the problem mentioned at point 4 below.
    3. The --json parameter doesn't seem to work. I still get the regular output.
    4. The output text contains all kinds of control characters. Even when using the --disable-colour parameter. So redirecting the output to a text file results in a non-plain text file.

    I wanted to love this scanner, but in its current state i cannot recommend it.

    Note: I tested the Windows version

  • Adding Logging to File of the findings

    Adding Logging to File of the findings

    Current scanner send its output to stdout (Status + findings)

    a scan job can output hundreds and hundreds os status line ("Checked 33 files in 00h:00m:01s, average rate is: 1401 files/min"), as well as a lot of findings

    Findings will get lost when scanning big servers outputting more than the console buffer

    Wish:

    • Add a logging function to files for the finding only
    • If no parameter specified, still log to file by default
    • Output the finding both to the console & to the log file
Related tags
Security spring4shell-scanner
androidqf (Android Quick Forensics) helps quickly gathering forensic evidence from Android devices, in order to identify potential traces of compromise.

androidqf androidqf (Android Quick Forensics) is a portable tool to simplify the acquisition of relevant forensic data from Android devices. It is the

Dec 28, 2022
"I do" stops interactive command if there is any potential risky pattern

Description ido (I do) executes your shell command provided as its input, but it may wait for you to confirm when there is some potential risky patter

Jan 2, 2023
Carbon Black Harbor Adapter is a scanner to scan images in Harbor Registry with the help of Carbon Black Cloud.
 Carbon Black Harbor Adapter is a scanner to scan images in Harbor Registry with the help of Carbon Black Cloud.

carbon-black-adapter-for-harbor Overview Carbon Black adapter for Harbor integrates your Harbor Registry with the Carbon Black Cloud. It leverages Har

Nov 1, 2022
Find secrets and passwords in container images and file systems
 Find secrets and passwords in container images and file systems

Find secrets and passwords in container images and file systems

Jan 1, 2023
Search for vulnerabilities and exposures while filtering based on age, keywords, and other parameters.
 Search for vulnerabilities and exposures while filtering based on age, keywords, and other parameters.

FAV/E FAV/E (Find A Vulnerability/Exposure) utilizes the NIST CVE database search API to search for vulnerabilities and exposures while filtering base

Dec 31, 2022
A detector for the Trojan Source and other unicode-based vulnerabilities.

Trojan Source Detector This application detects Trojan Source attacks in source code. It can be used as part of the CI system to make sure there are n

Jan 6, 2022
🍷 Find exploits and vulnerabilities in the most important databases.
 🍷 Find exploits and vulnerabilities in the most important databases.

?? Dionisio Dionisio is a tool that can automate the search for exploits and vulnerabilities. Written in Go and open source, Dionisio has an advanced

Mar 14, 2022
PHP security vulnerabilities checker

Local PHP Security Checker The Local PHP Security Checker is a command line tool that checks if your PHP application depends on PHP packages with know

Jan 3, 2023
SSRFuzz is a tool to find Server Side Request Forgery vulnerabilities, with CRLF chaining capabilities

SSRFuzz is a tool to find Server Side Request Forgery vulnerabilities, with CRLF chaining capabilities Why?

Dec 8, 2022
A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index
 A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index

Nancy nancy is a tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index, and as well, works with Nexus IQ Server

Dec 22, 2022