Apache Struts2 XWork ParameterInterceptor security bypass

2010-08-05T00:00:00
ID SAINT:52FE4CC3610DB129C039F9F864818929
Type saint
Reporter SAINT Corporation
Modified 2010-08-05T00:00:00

Description

Added: 08/05/2010
CVE: CVE-2010-1870
BID: 41592
OSVDB: 66280

Background

Apache Struts is a Java web application framework. Apache Struts version 2 is based on WebWork 2. WebWork 2 uses XWork to invoke actions based on HTTP parameter names. The ParameterInterceptor component of XWork runs the appropriate Java method to handle each input parameter.

Problem

A security bypass vulnerability exists in the ParameterInterceptor. A remote attacker could execute arbitrary commands by setting various OGNL context variables using unicode strings in parameter names.

Resolution

Upgrade to Apache Struts 2.2 or higher when available.

References

<http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html>

Limitations

Exploit works on Apache Struts 2.1.8.1. The specified share must be accessible by the target.

Before the exploit can succeed, exploit.exe must be placed on the specified share. Use the Download Connection or E-mail Attachment Execution exploit tool to obtain exploit.exe, using the same shell port as used with this exploit. Due to this requirement, this exploit must be run individually and is not included during an automated penetration test.

Platforms

Windows