Affected Versions<\/h3>\n\n- Struts 2.3.5 – Struts 2.3.31<\/li>\n
- Struts 2.5 – Struts 2.5.10<\/li>\n<\/ul>\n
Unaffected Versions<\/h3>\n\n- Struts 2.3.32<\/li>\n
- Struts 2.5.10.1<\/li>\n<\/ul>\n
Geographic Distribution of Struts2 Vulnerability<\/h3>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/03\/AP1-300x147.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/03\/AP2-300x244.png\")
<\/a><\/p>\nVulnerability Analysis<\/h2>\n
Apache Struts2 is prone to a remote code execution vulnerability via the Content-Type header field of an HTTP request, an attacker could deliver malicious code to a vulnerable server causing remote code execution.<\/p>\n
1. Vulnerability POC<\/strong><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/03\/AP3-300x229.png\")
<\/a><\/p>\n2. Vulnerability Verification<\/strong><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/03\/AP4-300x210.png\")
<\/a><\/p>\n3. Detailed Analysis<\/strong><\/p>\nIt is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user. The preceding is the official vulnerability description.<\/p>\n
As illustrated this vulnerability is due to the mishandling of error messages by Strust2. This vulnerability allows an attacker to inject OGNL expressions via the Content-Type header field to execute arbitrary code. The vulnerability analysis here targets Struts 2.3.24.The vulnerability POC shown below reveals how the attack commands are delivered to a vulnerable server via the Content-Type header field.<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/03\/AP5-300x95.png\")
<\/a><\/p>\nDue to the existence of #nike=’multipart\/form-data’ amid parameters passed to the vulnerable server, the result of content_type.contains(“multipart\/form-data”) is true, paving the way for the passing of attack code to the server.<\/p>\n
During attack code passing to the server, “cat \/etc\/passwd” is assigned to the #cmd parameter. Then (#cmds=(#iswin?{‘cmd.exe’,’\/c’,#cmd}:{‘\/bin\/bash’,’-c’,#cmd}) is executed to check the operating system type of the target host. After that, values are assigned to parameters to directive selectively.<\/p>\n
The attack command to execute is as follows:<\/em><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/03\/AP6-300x29.png\")
<\/a><\/p>\nThe entry of Struts2, FilterDispatcher.java first executes the doFilter function, then dispatcher.wrapRequest, and finally dispatcher.wrapRequest for request processing. The following figure shows the request wrapping method handling of the prepareDispatcherAndWrapRequest function.<\/p>\n
The following figure depicts the command injection points:<\/em><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/03\/AP8-300x170.png\")
<\/a><\/p>\nFor dispatcher.wrapRequest, when Content-Type is set to multipart\/form-data, the MultiPartRequestWrapper function will be called for rapping upload requests transmitted in various ways that include Jakarta.<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/03\/AP9-300x100.png\")
<\/a><\/p>\nMultiPartRequestWrapper.java wraps the parse function:<\/em><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/03\/AP10-300x117.png\")
<\/a><\/p>\nThe following figures shows the parse function:<\/em><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/03\/AP11-300x131.png\")
<\/a><\/p>\nFix Action & Patch Link<\/h3>\n
Apache Struts 2.5.10.1:<\/em><\/p>\nhttps:\/\/github.com\/apache\/struts\/commit\/b06dd50af2a3319dd896bf5c2f4972d2b772cf2b<\/strong><\/a><\/p>\nApache Struts 2.3.32:<\/em><\/p>\nhttps:\/\/github.com\/apache\/struts\/commit\/352306493971e7d5a756d61780d57a76eb1f519a<\/strong><\/a><\/p>\nVendor Solutions<\/h3>\n
Users are advised to upgrade Apache Struts to the latest secure version (Struts 2 2.3.32 or Struts 2.5.10.1) by downloading the updates from the vendor’s official websites:<\/p>\n
Struts 2.3.32:<\/em><\/p>\nhttps:\/\/github.com\/apache\/struts\/releases\/tag\/STRUTS_2_3_32<\/strong><\/a><\/p>\nStruts 2.5.10.1:<\/em><\/p>\nhttps:\/\/github.com\/apache\/struts\/releases\/tag\/STRUTS_2_5_10_1<\/strong><\/a><\/p>\nRecommended Solutions<\/h2>\n
For external assets, use the emergency vulnerability detection service of NSFOCUS Cloud to check the vulnerability online. The services are available through the following links:<\/p>\n
http:\/\/t.cn\/RipBq1c<\/strong><\/a><\/p>\nRemote Security Assessment System (RSAS V6):<\/em><\/p>\nhttp:\/\/update.<\/strong>nsfocus<\/strong>.com\/update\/listRsasDetail\/v\/vulweb<\/strong><\/a><\/p>\nWeb Vulnerability Scanning System (WVSS):<\/em><\/p>\nhttp:\/\/update.nsfocus.com\/update\/listWvss<\/a><\/p>\nNSFOCUS Network Intrusion Prevention System (NIPS):<\/em><\/p>\nhttp:\/\/update.nsfocus.com\/update\/listIps<\/strong><\/a><\/p>\nNSFOCUS Intrusion Detection System (NIDS):<\/em><\/p>\nhttp:\/\/update.nsfocus.com\/update\/listIds<\/strong><\/a><\/p>\nNSFOCUS Next-Generation Firewall (NF):<\/em><\/p>\nhttp:\/\/update.nsfocus.com\/update\/listNf<\/strong><\/a><\/p>\n
Unaffected Versions<\/h3>\n\n- Struts 2.3.32<\/li>\n
- Struts 2.5.10.1<\/li>\n<\/ul>\n
Geographic Distribution of Struts2 Vulnerability<\/h3>\n
<\/a><\/p>\n<\/a><\/p>\nVulnerability Analysis<\/h2>\n
Apache Struts2 is prone to a remote code execution vulnerability via the Content-Type header field of an HTTP request, an attacker could deliver malicious code to a vulnerable server causing remote code execution.<\/p>\n
1. Vulnerability POC<\/strong><\/p>\n<\/a><\/p>\n2. Vulnerability Verification<\/strong><\/p>\n<\/a><\/p>\n3. Detailed Analysis<\/strong><\/p>\nIt is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user. The preceding is the official vulnerability description.<\/p>\n
As illustrated this vulnerability is due to the mishandling of error messages by Strust2. This vulnerability allows an attacker to inject OGNL expressions via the Content-Type header field to execute arbitrary code. The vulnerability analysis here targets Struts 2.3.24.The vulnerability POC shown below reveals how the attack commands are delivered to a vulnerable server via the Content-Type header field.<\/p>\n
<\/a><\/p>\nDue to the existence of #nike=’multipart\/form-data’ amid parameters passed to the vulnerable server, the result of content_type.contains(“multipart\/form-data”) is true, paving the way for the passing of attack code to the server.<\/p>\n
During attack code passing to the server, “cat \/etc\/passwd” is assigned to the #cmd parameter. Then (#cmds=(#iswin?{‘cmd.exe’,’\/c’,#cmd}:{‘\/bin\/bash’,’-c’,#cmd}) is executed to check the operating system type of the target host. After that, values are assigned to parameters to directive selectively.<\/p>\n
The attack command to execute is as follows:<\/em><\/p>\n<\/a><\/p>\nThe entry of Struts2, FilterDispatcher.java first executes the doFilter function, then dispatcher.wrapRequest, and finally dispatcher.wrapRequest for request processing. The following figure shows the request wrapping method handling of the prepareDispatcherAndWrapRequest function.<\/p>\n
The following figure depicts the command injection points:<\/em><\/p>\n<\/a><\/p>\nFor dispatcher.wrapRequest, when Content-Type is set to multipart\/form-data, the MultiPartRequestWrapper function will be called for rapping upload requests transmitted in various ways that include Jakarta.<\/p>\n
<\/a><\/p>\nMultiPartRequestWrapper.java wraps the parse function:<\/em><\/p>\n<\/a><\/p>\nThe following figures shows the parse function:<\/em><\/p>\n<\/a><\/p>\nFix Action & Patch Link<\/h3>\n
Apache Struts 2.5.10.1:<\/em><\/p>\nhttps:\/\/github.com\/apache\/struts\/commit\/b06dd50af2a3319dd896bf5c2f4972d2b772cf2b<\/strong><\/a><\/p>\nApache Struts 2.3.32:<\/em><\/p>\nhttps:\/\/github.com\/apache\/struts\/commit\/352306493971e7d5a756d61780d57a76eb1f519a<\/strong><\/a><\/p>\nVendor Solutions<\/h3>\n
Users are advised to upgrade Apache Struts to the latest secure version (Struts 2 2.3.32 or Struts 2.5.10.1) by downloading the updates from the vendor’s official websites:<\/p>\n
Struts 2.3.32:<\/em><\/p>\nhttps:\/\/github.com\/apache\/struts\/releases\/tag\/STRUTS_2_3_32<\/strong><\/a><\/p>\nStruts 2.5.10.1:<\/em><\/p>\nhttps:\/\/github.com\/apache\/struts\/releases\/tag\/STRUTS_2_5_10_1<\/strong><\/a><\/p>\nRecommended Solutions<\/h2>\n
For external assets, use the emergency vulnerability detection service of NSFOCUS Cloud to check the vulnerability online. The services are available through the following links:<\/p>\n
http:\/\/t.cn\/RipBq1c<\/strong><\/a><\/p>\nRemote Security Assessment System (RSAS V6):<\/em><\/p>\nhttp:\/\/update.<\/strong>nsfocus<\/strong>.com\/update\/listRsasDetail\/v\/vulweb<\/strong><\/a><\/p>\nWeb Vulnerability Scanning System (WVSS):<\/em><\/p>\nhttp:\/\/update.nsfocus.com\/update\/listWvss<\/a><\/p>\nNSFOCUS Network Intrusion Prevention System (NIPS):<\/em><\/p>\nhttp:\/\/update.nsfocus.com\/update\/listIps<\/strong><\/a><\/p>\nNSFOCUS Intrusion Detection System (NIDS):<\/em><\/p>\nhttp:\/\/update.nsfocus.com\/update\/listIds<\/strong><\/a><\/p>\nNSFOCUS Next-Generation Firewall (NF):<\/em><\/p>\nhttp:\/\/update.nsfocus.com\/update\/listNf<\/strong><\/a><\/p>\n
Geographic Distribution of Struts2 Vulnerability<\/h3>\n
Apache Struts2 is prone to a remote code execution vulnerability via the Content-Type header field of an HTTP request, an attacker could deliver malicious code to a vulnerable server causing remote code execution.<\/p>\n 1. Vulnerability POC<\/strong><\/p>\n 2. Vulnerability Verification<\/strong><\/p>\n 3. Detailed Analysis<\/strong><\/p>\n It is possible to perform a RCE attack with a malicious Content-Type value. If the Content-Type value isn’t valid an exception is thrown which is then used to display an error message to a user. The preceding is the official vulnerability description.<\/p>\n As illustrated this vulnerability is due to the mishandling of error messages by Strust2. This vulnerability allows an attacker to inject OGNL expressions via the Content-Type header field to execute arbitrary code. The vulnerability analysis here targets Struts 2.3.24.The vulnerability POC shown below reveals how the attack commands are delivered to a vulnerable server via the Content-Type header field.<\/p>\n Due to the existence of #nike=’multipart\/form-data’ amid parameters passed to the vulnerable server, the result of content_type.contains(“multipart\/form-data”) is true, paving the way for the passing of attack code to the server.<\/p>\n During attack code passing to the server, “cat \/etc\/passwd” is assigned to the #cmd parameter. Then (#cmds=(#iswin?{‘cmd.exe’,’\/c’,#cmd}:{‘\/bin\/bash’,’-c’,#cmd}) is executed to check the operating system type of the target host. After that, values are assigned to parameters to directive selectively.<\/p>\n The attack command to execute is as follows:<\/em><\/p>\n The entry of Struts2, FilterDispatcher.java first executes the doFilter function, then dispatcher.wrapRequest, and finally dispatcher.wrapRequest for request processing. The following figure shows the request wrapping method handling of the prepareDispatcherAndWrapRequest function.<\/p>\n The following figure depicts the command injection points:<\/em><\/p>\n For dispatcher.wrapRequest, when Content-Type is set to multipart\/form-data, the MultiPartRequestWrapper function will be called for rapping upload requests transmitted in various ways that include Jakarta.<\/p>\n MultiPartRequestWrapper.java wraps the parse function:<\/em><\/p>\n The following figures shows the parse function:<\/em><\/p>\n Apache Struts 2.5.10.1:<\/em><\/p>\n https:\/\/github.com\/apache\/struts\/commit\/b06dd50af2a3319dd896bf5c2f4972d2b772cf2b<\/strong><\/a><\/p>\n Apache Struts 2.3.32:<\/em><\/p>\n https:\/\/github.com\/apache\/struts\/commit\/352306493971e7d5a756d61780d57a76eb1f519a<\/strong><\/a><\/p>\n Users are advised to upgrade Apache Struts to the latest secure version (Struts 2 2.3.32 or Struts 2.5.10.1) by downloading the updates from the vendor’s official websites:<\/p>\n Struts 2.3.32:<\/em><\/p>\n https:\/\/github.com\/apache\/struts\/releases\/tag\/STRUTS_2_3_32<\/strong><\/a><\/p>\n Struts 2.5.10.1:<\/em><\/p>\n https:\/\/github.com\/apache\/struts\/releases\/tag\/STRUTS_2_5_10_1<\/strong><\/a><\/p>\n For external assets, use the emergency vulnerability detection service of NSFOCUS Cloud to check the vulnerability online. The services are available through the following links:<\/p>\n http:\/\/t.cn\/RipBq1c<\/strong><\/a><\/p>\n Remote Security Assessment System (RSAS V6):<\/em><\/p>\n http:\/\/update.<\/strong>nsfocus<\/strong>.com\/update\/listRsasDetail\/v\/vulweb<\/strong><\/a><\/p>\n Web Vulnerability Scanning System (WVSS):<\/em><\/p>\n http:\/\/update.nsfocus.com\/update\/listWvss<\/a><\/p>\n NSFOCUS Network Intrusion Prevention System (NIPS):<\/em><\/p>\n http:\/\/update.nsfocus.com\/update\/listIps<\/strong><\/a><\/p>\n NSFOCUS Intrusion Detection System (NIDS):<\/em><\/p>\n http:\/\/update.nsfocus.com\/update\/listIds<\/strong><\/a><\/p>\n NSFOCUS Next-Generation Firewall (NF):<\/em><\/p>\n http:\/\/update.nsfocus.com\/update\/listNf<\/strong><\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\nVulnerability Analysis<\/h2>\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\nFix Action & Patch Link<\/h3>\n
Vendor Solutions<\/h3>\n
Recommended Solutions<\/h2>\n