Apache Struts2 Remote Code Execution Vulnerability (S2-045)

março 9, 2017 | Adeline Zhang

Overview

Apache Struts2 is prone to a remote code execution vulnerability (CNNVD-201703-152) in the Jakarta Multipart parser plug-in. When uploading a file with this plug-in, an attacker could change the value of the Content-Type header field of an HTTP request to trigger this vulnerability, causing remote code execution.

For details, visit the following link:

https://cwiki.apache.org/confluence/display/WW/S2-045?from=timeline&isappinstalled=0

Affected Versions

Struts 2.3.5 – Struts 2.3.31
Struts 2.5 – Struts 2.5.10

Unaffected Versions

Struts 2.3.32
Struts 2.5.10.1

Geographic Distribution of Struts2 Vulnerability

Vulnerability Analysis

Apache Struts2 is prone to a remote code execution vulnerability via the Content-Type header field of an HTTP request, an attacker could deliver malicious code to a vulnerable server causing remote code execution.

1. Vulnerability POC

2. Vulnerability Verification

3. Detailed Analysis

It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user. The preceding is the official vulnerability description.

As illustrated this vulnerability is due to the mishandling of error messages by Strust2. This vulnerability allows an attacker to inject OGNL expressions via the Content-Type header field to execute arbitrary code. The vulnerability analysis here targets Struts 2.3.24.The vulnerability POC shown below reveals how the attack commands are delivered to a vulnerable server via the Content-Type header field.

Due to the existence of #nike=’multipart/form-data’ amid parameters passed to the vulnerable server, the result of content_type.contains(“multipart/form-data”) is true, paving the way for the passing of attack code to the server.

During attack code passing to the server, “cat /etc/passwd” is assigned to the #cmd parameter. Then (#cmds=(#iswin?{‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,’-c’,#cmd}) is executed to check the operating system type of the target host. After that, values are assigned to parameters to directive selectively.

The attack command to execute is as follows:

The entry of Struts2, FilterDispatcher.java first executes the doFilter function, then dispatcher.wrapRequest, and finally dispatcher.wrapRequest for request processing. The following figure shows the request wrapping method handling of the prepareDispatcherAndWrapRequest function.

The following figure depicts the command injection points:

For dispatcher.wrapRequest, when Content-Type is set to multipart/form-data, the MultiPartRequestWrapper function will be called for rapping upload requests transmitted in various ways that include Jakarta.

MultiPartRequestWrapper.java wraps the parse function:

The following figures shows the parse function:

Fix Action & Patch Link

Apache Struts 2.5.10.1:

https://github.com/apache/struts/commit/b06dd50af2a3319dd896bf5c2f4972d2b772cf2b

Apache Struts 2.3.32:

https://github.com/apache/struts/commit/352306493971e7d5a756d61780d57a76eb1f519a

Vendor Solutions

Users are advised to upgrade Apache Struts to the latest secure version (Struts 2 2.3.32 or Struts 2.5.10.1) by downloading the updates from the vendor’s official websites:

Struts 2.3.32:

https://github.com/apache/struts/releases/tag/STRUTS_2_3_32

Struts 2.5.10.1:

https://github.com/apache/struts/releases/tag/STRUTS_2_5_10_1

Apache Struts2 Remote Code Execution Vulnerability (S2-045)