WVSS and RSAS to help you quickly detect Apache Struts2 remote code execution vulnerability S2-0 3 7-vulnerability warning-the black bar safety net

2016-06-27T00:00:00
ID MYHACK58:62201676305
Type myhack58
Reporter 佚名
Modified 2016-06-27T00:00:00

Description

Apache Struts2 using the REST plugin the cases, the attacker uses REST calls malicious expression can be remote code execution. The vulnerability number CVE-2 0 1 6-4 4 3 8, Set Name, S2-0 3 to 7. The vulnerability and S2-0 3 3 vulnerability to trigger the process is basically the same, are in the ActionMapping in the methodName into the OGNL expression execution, leading to arbitrary code execution. You also can't quickly confirm your business is secure? WVSS and RSAS to help you quickly identify risks.

Vulnerability overview

Apache Struts2 then exposed a remote code execution vulnerability, an attacker can use the REST plug-in calls a malicious expression remote code execution. This vulnerability number CVE-2 0 1 6-4 4 3 8, named S2-0 3 to 7.

Vulnerability range

! Global distribution

Struts 2.3.20-Struts 2.3.28.1

All install the REST plugin of Struts application

The exploit poc

http://127.0.0.1:8080/struts2-rest-showcase/orders/3//%23_memberAccess%3d@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS,%23wr%3d%23context%5B%23parameters. obj%5B0%5D,%5D. getWriter(),%23wr. print(%23parameters. content%5B0%5D%2b602%2b53718%2b1239876),%23wr. close(),xx. toString. json?& amp;obj=com. opensymphony. xwork2. dispatcher. HttpServletResponse&content=paglyrwqlnvhfgfkunxucswjhpeiomqmhnmbwbccujdyfyokxexhsuqtflvt reponse echoed paglyrwqlnvhfgfkunxucswjhpeiomqmhnmbwbccujdyfyokxexhsuqtflvt i.e., the presence of the vulnerability.

Detect method

Nsfocus customers can use the green Alliance Web application vulnerability scanning systems, NSFOCUS WVSS and the green Alliance remote security assessment system(NSFOCUS RSAS)detects its own application system is the existence of vulnerabilities. The green Alliance Web application vulnerability scanning systems, NSFOCUS WVSS and the green Alliance remote security assessment system(NSFOCUS RSAS)have been in vulnerabilities were exposed for the first time within the perfect realization of the vulnerability detection capability, you can update the plug-in Library for fast, accurate and full scan found.

! Exploit name

Fix method

1 added cleanupActionName filter;

2 Using a Web application firewall, etc. securitydevices for protection;

3 attention to Apache's website and timely update to struts2. 3. 2 9: The https://struts.apache.org/

Refer to the official notice: https://cwiki.apache.org/confluence/display/WW/s2-037