Apache Struts2 remote code execution vulnerability S2-045 technical analysis and protection solution-vulnerability warning-the black bar safety net

2017-03-08T00:00:00
ID MYHACK58:62201784040
Type myhack58
Reporter 佚名
Modified 2017-03-08T00:00:00

Description

Apache Struts2 Jakarta Multipart parser plug-ins the presence of a remote code execution vulnerability, the vulnerability number is CNNVD-201703-152。 The attacker can use the plugin to upload a file, modify the HTTP request header Content-Type value to trigger the vulnerability leads to remote code execution.

Related links are as follows:

https://cwiki.apache.org/confluence/display/WW/S2-045?from=timeline&isappinstalled=0

Article directory

Affected version

  • Struts 2.3.5 – Struts 2.3.31
  • Struts 2.5 – Struts 2.5.10

Non-Affected version

  • Struts 2.3.32
  • Struts 2.5.10.1

Green Alliance Threat Intelligence Center NTI on Struts2 vulnerability range map

  • Global distribution

!

  • Domestic distribution

!

  • Global ranking

!

  • Domestic ranking

!

Vulnerability analysis

Apache Struts2 remote code execution vulnerability exists, an attacker can insert malicious code through http packet header the Content-Type field is passed to the vulnerable Server, resulting in arbitrary code execution vulnerabilities.

  • Vulnerability POC

!

  • Vulnerability verification

!

  • Details of the analysis

It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.

From the official of the vulnerability Description, We can know that this vulnerability is due to Strus2 for error message processing problems, by the Content-Type this header header, injecting the OGNL language, and then execute the command.

Herein, the analysis is based on Struts 2.3.24 version. First look at the POC, the attack instruction by the”Content-Type”passed to the vulnerable server, as shown below:

!

In the incoming parameters, by#nike,=’multipart/form-data’statement so that the background determination statement content_type. contains(“multipart/form-data”)the judgment result is true, so the attack code can be incoming. While the attack code’cat /etc/passwd’is assigned the value of#the cmd parameter. Followed by(#cmds=(#iswin? {‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,’-c’,#cmd})to determine whether the target hostoperating systemtype, and selectively command the assignment, in the end, by the following figure code, The attack command execution:

!

Following the first look at the command execution injection point:

!

在 JakartaMultiPartRequest.java the buildErrorMessage Function, This function of localizedTextUtil. findText will execute a OGNL expression, resulting in command execution, we first look at the findtext definition:

<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/util/LocalizedTextUtil.html>

!

Next it is JakartaMultiPartRequest. java of parse calls. Struts2 entrance to the FilterDispatcher. java next perform a doFilter function, you perform some filtering into the prepareDispatcherAndWrapRequest function, and then execute the dispatcher. wrapRequest into the request processing Branch, the lower figure is prepareDispatcherAndWrapRequest implementation, the function of the methodology for the process:

!

Then we look at the dispatcher. wrapRequest, when the Content-Type to multipart/form-data when calling the MultiPartRequestWrapper,this is one of a variety of different uploads of the package, which will contain Jakarta and other transmission ways:

[1] [2] next