The [vulnerability analysis] S2-045 principles of the preliminary analysis of CVE-2017-5638-a vulnerability warning-the black bar safety net

2017-03-08T00:00:00
ID MYHACK58:62201784041
Type myhack58
Reporter 佚名
Modified 2017-03-08T00:00:00

Description

Author: angelwhu

0x00 vulnerability announcement

See <https://cwiki.apache.org/confluence/display/WW/S2-045>

This vulnerability should follow-up will have official detailed analysis. Here to talk about personal understanding, but also to share the following to reproduce the vulnerabilities of ideas.

First of all,carefully read the vulnerability description:

The Problem

It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.

Description clear up two points:

Through the Content-Type this header header, injecting the OGNL language, and then execute the command.

Vulnerability point is that, due to Strus2 for error message processing occurs when a stone unturned.

0x01 on Struts2 upload mechanism

Part of the online description:based on the Jakarta plugin plug-in.

This description is not right, Struts2 has its plug-in mechanisms, such as prior to blast through S2-037 vulnerability of the REST plug-in. But Struts2 upload is used by default is org. apache. struts2. dispatcher. multipart. JakartaMultiPartRequest class, to upload data for analysis. Does not exist the plug-in this argument, but it is the final call to the third-party components common upload to complete the upload operation.

Note: the following Struts2 source code version is 2. 3. The 20.

Specific can look at the source code of the process, the first to enter StrutsPrepareAndExecuteFilter class,this is the Struts2 default configuration of the inlet filter. On the inside you can see that Struts2 first, the input request object is request for package:

request = prepare. wrapRequest(request);

Follow up on this statement, you can see the package is StrutsRequestWrapper process:

if (request instanceof StrutsRequestWrapper) { return request; } String content_type = request. getContentType(); if (content_type != null && content_type. contains("multipart/form-data")) {//judgment is not post form MultiPartRequest mpr = getMultiPartRequest();//default return JakartaMultiPartRequest class LocaleProvider provider = getContainer(). getInstance(LocaleProvider.class); request = new MultiPartRequestWrapper(mpr, request, getSaveDir(), provider); } else { request = new StrutsRequestWrapper(request, disableRequestAttributeValueStacklookup); } return request;

Above I comment the two places is the key.

multipart/form-data

Online streaming of the POC in the so part:

nike='multipart/form-data'

Is the content_type. contains("multipart/form-data")the judgment is true. Of course, in other places to add multipart/form-data this string.

getMultiPartRequest()

This method can continue to track down. By configuring the struts. multipart. parser properties, you can specify different parsing class, and the default is above that of the org. apache. struts2. dispatcher. multipart. JakartaMultiPartRequest class.

Online you can now get this explanation:

struts. multipart. parser: the property specifies the handling multipart/form-data MIME type, the file upload request frame, the property support cos, pell and jakarta and other property values, i.e., respectively corresponding to the use of cos the file upload framework, pell upload and common-fileupload file upload framework. The property's default value is the jakarta to.

Further the official description: <https://cwiki.apache.org/confluence/display/WW/File+Upload#FileUpload-AlternateLibraries>

0x02 vulnerability patch contrast

Vulnerability analysis is bound to patch contrast. View struts2 in git, on the commit, find the description for the Uses of the default error key if the specified key doesn't exist modifications:

2.5.10.1 version modifications:

<https://github.com/apache/struts/commit/b06dd50af2a3319dd896bf5c2f4972d2b772cf2b>

!

2.3.32 version modifications:

<https://github.com/apache/struts/commit/352306493971e7d5a756d61780d57a76eb1f519a>

!

You can clearly see, are removed with such a method:

LocalizedTextUtil. findText (......);

Then, we get the third key:

sink point

Back via the dynamic debug tracing can be found: it is through this method of LocalizedTextUtil. findText, and finally to execute the command of the place. Here temporarily can be seen as a sink point.

When the payload into the here after, you can through the OGNL command execution. At the same time, the intuitive feeling function is in the processing error message.

0x03 vulnerability reproduce and debug analysis

1. Simple to reproduce

Environment configuration:

tomcat7

struts2. 3. 20

Here is the way, the above principles of analysis. Can guess, do not need to find an upload place. Only need to simulate upload contract can, harm huge.......

So, I'm using Struts2. 3. 20 version of the struts2-blankwar package, to directly test the vulnerability:

[1] [2] next