Attention! Struts 2 s2-0 3 2 remote code is again a wave of black rhythm-vulnerability warning-the black bar safety net

2016-04-28T00:00:00
ID MYHACK58:62201674141
Type myhack58
Reporter 佚名
Modified 2016-04-28T00:00:00

Description

1. Description: Struts 2 is the Struts of the next generation of products, is in the struts 1 and WebWork technology based on a merge of the new Struts 2 framework. Its brand new Struts 2 architecture and Struts 1 architecture the difference is huge. Struts 2 with WebWork as the core, using the interceptor mechanism to deal with user's request, such design also makes the business logic controller to communicate with ServletAPI completely out of the opening, so Struts 2 can be understood as the WebWork of update products. Although from Struts 1 to Struts 2 has changed much, but relative to WebWork, Struts 2 little change. 4 on 1 5, security a constant Security Institute in Struts 2 found a serious remote code execution vulnerability(CVE-2 0 1 6-3 0 8 1)

! 2. Vulnerability analysis The premise: turn of dynamic method calls.

! If dynamic method invocation has been turned on,and then we have to call the corresponding login method, then we can through http://localhost:8 0 8 0/struts241/index! login. action to perform dynamic method calls. This dynamic method invocation when the method of special characters will be replaced with null, but can be http://localhost:8 0 8 0/struts241/index. action? method:login to bypass the unable incoming special character restrictions.

! The received parameters will be processed stored in the ActionMapping of the method attribute. DefaultActionProxyFactory will ActionMappping the method attribute is set to the ActionProxy in the method attribute(while doing escapeEcmaScript, the escapeHtml4 filter, but we can pass a variable to pass way to get around, specific can reference poc). The following figure

! And DefaultActionInvocation. java will be the ActionProxy in the method attribute is removed to put into ognlUtil. getValue(methodName + “()”, getStack(). getContext(), action);method in the execution of ognl expressions, as in the following figure

! 3. Sandbox bypass: Through the ognl expression static call to get the ognl. OgnlContext the DEFAULT_MEMBER_ACCESS property and will get the results of the coverage _memberAccess properties, so that you can bypass the SecurityMemberAccess restrictions. 4. poc: http://localhost:8080/struts28/example/HelloWorld.action?method:%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,@java.lang.Runtime@getRuntime(). exec(%23parameters. command[0]),1?% 23xx:%23request. toString&command=open+/Applications/Calculator. app a. Test environment:

! b. Results:

! Repair solutions: Upgrade to struts 2.3.20.2,struts 2.3.24.2,struts 2.3.28.1