Apache Struts 2 ConversionErrorInterceptor Java Injection

2012-08-0200:00:00

SAINT Corporation

my.saintcorporation.com

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.364 Low

EPSS

Percentile

97.1%

JSON

Added: 08/02/2012
CVE: CVE-2012-0391
OSVDB: 78277

Background

Apache Struts is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model-view-controller (MVC) architecture.

Problem

Struts uses Object-Graph Navigation Language (OGNL) to provide extensive expression evaluation capabilities. Struts 2 versions prior to 2.2.3.1 do not properly delegate exceptions when assigning values to properties. If a type occurs, Struts 2 may allow the OGNL values to be interpreted as Java code.

Resolution

Upgrade to Struts 2.2.3.1 or later.

References

<http://struts.apache.org/2.x/docs/version-notes-2311.html>
<https://issues.apache.org/jira/browse/WW-3668>
<https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt>

Limitations

This exploit has been tested against Apache Software Foundation Struts 2.2.1 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut).

The executable smbclient must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes (').