Remote Code Execution Vulnerability in Struts 2(S2-048)

  • Source:SANGFOR Security Center
  • Date Published:2017-07-25
#

Summary

    On the evening of July, 7th, 2017, Apache released a security bulletin(S2-045) addressing a security vulnerability(CVE-2017-5638) in Struts 2. The bulletin says that the application Showcase in Struts2 contains remote code execution vulnerability, which can be used by attackers to perform such operations as adding user accounts, viewing, modifying or deleting files, etc. 

    Affected Versions: Struts 2.3.x versions with struts2-struts1-plugin enabled

DEFINITION

    Apache Struts 2 is one of the most popular MVC-based JAVA Web server frameworks in the world. In effect, it is equivalent to Servlet and functions as a controller to establish data interaction between model and views. 

VULNERABILITY DESCRIPTION

    If the plug-in Struts1(non-default plug-in) in Struts2 is enabled, the attackers can craft malicious field and plant it inside the system, which may then be brought into Action error messages and bring about remote code execution vulnerability.

Analysis

    As of date of the publishment of this article, several PoC(Proof of Concept) exploits of the vulnerability are available on the Internet. One of the PoC exploits is as shown below: 

image.png

    Find /skill/save.action, plant malicious code in parameter name, and then the whoami command will be executed successfully, as shown below: 

image.png

Solution

    1.Use resource keys to pass original messages directly to ActionMessage, as shown below: 

messages.add("msg", new ActionMessage("struts1.gangsterAdded", gform.getName()));

Instead of using the following:

messages.add("msg", new ActionMessage("Gangster " + gform.getName() + " was added

    2.Disable struts2-struts1-plugin (do not enable this plug-in unless necessary),  remove the file struts2-struts1-plugin-2.3.x.jar or move it from the directory /WEB-INF/lib to another one. 

    If Sangfor NGAF appliance has been deployed in your network, update vulnerability database to the version 20170708 or later version to defend against this vulnerability.