Struts2-057 two versions of RCE vulnerability example analysis

Preface

On August 22, 2018, Apache Strust2 released the latest security bulletin. Apache Struts2 has a high-risk remote code execution vulnerability (S2-057/CVE-2018-11776). This vulnerability Discovered by security researcher Man YueMo of Semmle Security Research team.

This vulnerability is due to the fact that when using the namespace function to define XML configuration in the Struts2 development framework, the namespace value is not set and is not set in the upper-layer action configuration (Action Configuration) or uses the wildcard namespace, which may lead to Remote code execution. In the same way, when the value and action values ​​are not set in the url tag and the upper-level action is not set or a wildcard namespace is used, it may also lead to remote code execution. After the author's self-built environment, the vulnerability was successfully reproduced and the command echo can be executed. At the end of the article, you have what you want. !

Vulnerability Exploitation

The environments used by the author are Strust2 2.3.20 version and Strust2 2.3.34 version respectively. There are roughly three ways to exploit the vulnerability: numerical calculation, pop-up calculator, command echo.

2.1 Numerical calculation

Numerical calculation is relatively simple. Specify %{100 200} on the URL to jump and get the calculated result

2.2 Pop-up calculator

The POC of version 2.3.20 is as follows:

##2.3.3 4 version reference The POC is as follows:

2.3 Command echo

Both versions use com.opensymphony.xwork2. dispatcher.HttpServletResponse object to print the echo data after command execution

The POC of version 2.3.20 is as follows:

The POC of version 2.3.34 is as follows:

The effect after the attack is as shown below

Vulnerability analysis

Before analyzing the vulnerability, you need to configure the struts.xml file, this The file is the core configuration file of struts2. Most of the time, you need to control the increase or decrease of configuration;

There are two things to pay attention to. The first one must be configured struts.mapper .alwaysSelectFullNamespace = true, otherwise the vulnerability cannot be triggered. The purpose of this configuration is to set whether NameSpace is always selected at any position before the last slash; the type returned by the second result tag selects "redirectAction or chain", only these two The value of each configuration option can forward or redirect the action; for details about type, please refer to the figure below

##After finishing the configuration, start dynamic analysis. The vulnerability is located in

struts2-core.jar!/org/apache/struts2/dispatcher/ServletActionRedirectResult.class

The value of this.namespace member comes from the getNamespace() method, and then Return the URI string through getUriFromActionMapping();

The value obtained through getUriFromActionMapping is assigned to the tmpLocation variable, and then the expression enters the setLocation method

The ServletActionResult is called through the super.execute method, and the conditionalParse method is followed in the execute method body. In this method, the key method of ONGL execution, translateVariables, is called.

The obtained param value is passed into the translateVariables() method, which ultimately leads to the execution of the OGNL expression in OnglTextPaser.

After popping up the calculator, the value of lastFinalLocation obtained is the handle after the current execution. This value is used as the action address of the response jump, which is the URI that appears in the address bar after popping up the calculator in the browser

The analysis of the pop-up calculator ends here. Next, let’s look at the analysis based on the command execution echo results. Basically, the process is the same as above. The only difference is the value returned by lastFinalLocation. It is NULL, which means that there is no 302 jump after submission, it is still the current action, and the returned value is 200

After knowing the principle, my colleague The exp detection script is implemented in python. This script is for learning and research only;

Defensive measures

1. Change the framework version Upgrade to the latest official version;

2. For Web applications, try to ensure the security of the code;

3. For the IDS rule level, the numerical calculation and bullet calculator return The status codes are all 302, and the Location jump field contains the characteristic handle string; if it is a 200 status code returned by the command echo, and there is a command result output;

The above is the detailed content of Struts2-057 two versions of RCE vulnerability example analysis. For more information, please follow other related articles on the PHP Chinese website!