S2-052: Apache Struts2 REST Plugin Payloads (CVE-2017-9805)


PenTestIT RSS Feed There is a saying making rounds now that "Apache Struts is like the WebGoat of all frameworks" and the current exploit which is being tracked under **CVE-2017-9805** and the Apache Struts bulletin - [S2-052](<https://cwiki.apache.org/confluence/display/WW/S2-052>) prooves just that. If you remember, I had covered another vulnerability a couple of months ago - which is tracked under [S2-048](<http://pentestit.com/apache-struts2-showcase-remote-code-execution-s2-048/>) & CVE-2017-9791. ![CVE-2017-9805](http://pentestit.com/wp-content/uploads/2017/07/Apache-Struts2.png) ## What is the Apache Struts2 CVE-2017-9805 vulnerability about? The original advisory [**here**](<https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement>) mentions the vulnerability briefly. However, the Apache Foundation description was enough for people to create a PoC even before the discoverer could make these details public. Interestingly, the original advisory has been updated to mention this - "_Updated on 6 September: added a warning regarding multiple working exploits having been published by third parties."_ The vendor advisory states this - "_The REST Plugin is using a `XStreamHandler` with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when de-serializing XML payloads._" I will not go into the details about how do you exploit this vulnerability, as I tweeted about the PoC availability yesterday itself: > CVE-2017-9805, <https://t.co/doP89huIGN> (S2-052) POC - <https://t.co/ZwTMWmTY1A> > > -- Pentestit (@pentestit) [September 5, 2017](<https://twitter.com/pentestit/status/905214097246978052>) The PoC there works good and kudos to the author! This post tries to list down a few more payloads that I could think will be interesting to use. Without further ado, we begin with the different payloads: CVE-2017-9805 payload for a reverse connection via MSTSC (Terminal Server Connection): ![CVE-2017-9805-Windows-Connect-Back](http://pentestit.com/wp-content/uploads/2017/09/CVE-2017-9805-Windows-Connect-Back.png) This has a high success rate on Windows systems which can "connect back" to you. CVE-2017-9805 payload for file download no execution (figure that part out): ![CVE-2017-9805-Windows-Download](http://pentestit.com/wp-content/uploads/2017/09/CVE-2017-9805-Windows-Download.png) Should work on almost all Microsoft Windows systems as long as Tomcat has the right privileges set. CVE-2017-9805 payload for file download on a Linux machine: ![CVE-2017-9805-Linux](http://pentestit.com/wp-content/uploads/2017/09/Struts-S2-052.png) This should also work on a good amount of systems that has cURL. ## Fix CVE-2017-9805: As the Apache Foundation suggests, the first option is to upgrade to [Struts 2.5.13](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.13>) or [Struts 2.3.34](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.34>). Secondly, you can upgrade the plugin by uploading all the required plugin JARs and it's dependencies. The post [S2-052: Apache Struts2 REST Plugin Payloads (CVE-2017-9805)](<http://pentestit.com/apache-struts2-rest-plugin-remote-code-execution-cve-2017-9805/>) appeared first on [PenTestIT](<http://pentestit.com>).