Vulnerability description Vulnerability name: Struts2-045 Vulnerability type: remote command execution Vulnerability rating: high risk Vulnerability cause: based on the Jakarta Multipart parser file upload module when processing to upload files(multipart)request for exception information is made to capture, and abnormal information to do the OGNL expression processing. But in judging the content-type is incorrect it will throw an exception and bring the Content-Type attribute value, through carefully constructed comes with OGNL expressions in the URL lead to remote code execution. Fig. Vulnerability scope: Struts 2.3.5--Struts 2.3.31; the Struts 2.5--Struts 2.5.10 Recommended fix: upgrade to Struts 2.3.32 or Struts 18.104.22.168
Vulnerability analysis The following analysis is based on struts2 22.214.171.124 The official description vulnerability occurs in the file upload process. Upload download is a commonly used function, but Struts2 itself does not provide the upload parser, in org. apache. struts2 package, struts2 provide us with the following three ways to support file upload. ! This vulnerability was widespread, and one of the important reasons is because this problem the module is the system's default provided by the module---Jakarta is. Jakarta is dependent on commons-fileupload and commons-io two packages, so as long as there is this two pack, you can simulate file upload. In struts2 provides a basic example of struts2_blank, both packages also exist. Another important reason, is the Jakarta module in processing a file request when the abnormality information to OGNL expression parsing process. This section, through the debug mode you can see more clearly some. When struts2 access to the request will be analyzed, as shown in Fig, when the content_type is not null and content_type contains multipart/form-data, the struts2 processing of the upload request. This is also a poc, why must contain a multipart/form-data reasons. ! Analysis how to simulate file upload, now look at the vulnerability issue is how to produce it. As shown in Figure, when the parser in processing the request when the abnormality judgment. When the file is too large or the occurrence of other error, will call to buildErrorMessage (a). ! The vulnerability is due to an abnormal processing error caused. Can see e now the values shown in Fig. poc in the content-type of the content are all stored in the detailMessage. ! Into the method to see it, found here are the official modification point(reference 3), that is to say, the problem is from here. ! Continue to follow found here, there valuestack participation. The valuestack, familiar with Struts2 students should be aware that this is an expression to calculate the data structure. That is, for the OGNL parsing to prepare. ! Follow findText (), found here, the errormessage is processed ! Follow up to see that has the errormessage as a ognl expression processing. Then continue with, that is, an expression process, interested students can try. !