Wei Gao, Blog Author
Senior Security Research Engineer
Blog

CVE-2017-5638 Apache Struts2 Zero-day

March 9, 2017 by Wei Gao

Ixia's ATI team is investigating a 0-day Apache Struts2 vulnerability (CVE-2017-5638) initially reported by Cisco's TALOS team. Shortly after disclosure, in-the-wild exploits started hitting our honeypots. By combing through these hits, we were able to identify variations in the exploit for testing for our customers.

1

ATI Honeypot Captured Exploit Sample

2

The payload is a malicious Java code assigned to Content-Type in an HTTP request. The vulnerability is due to a bug in Jakarta's Multipart parser in Struts2. A successful exploit can lead to code execution. 

Vulnerability Analysis

Apache uses org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest to upload file.

3

In the exploit, #nike='multipart/form-data' will make the expression as true. Then function getMultiPartRequest() will be executed.  It will configure struts.multipart.parser attribute using org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.

4

5

The struts.multipart.parser used by the fileUpload interceptor to handle HTTP POST requests, encoded using the MIME-type multipart/form-data, can be changed out. Currently there are two choices, jakarta and pell. The jakarta parser is a standard part of the Struts 2 framework and needs only its required libraries added to a project. The pell parser uses Jason Pell's multipart parser instead of the Commons-FileUpload library. The pell parser is a Struts 2 plugin, for more details see: pell multipart plugin. There was a third alternative, cos, but it was removed due to licensing incompatibilities.

Finally, Struts2 uses LocalizedTextUtil.findText in function buildErrorMessage to build the error message while the exploit takes advantage of LocalizedTextUtil.findText to execute OGNL commands.

6

Vulnerability Reproduce

Environment setup:

Tomcat 7, Struts 2.3.24

Struts-Blank web application is in vulnerable Struts 2.3.24 package and we use it to test the vulnerability.

7

8

The PoC is to try to inject an OGNL command into Content-type I HTTP GET request:

9

Running the PoC will create a text file in /tmp folder in the target:

10

11

Recommendation

If you are using Jakarta based file upload Multipart parser, upgrade to Apache Struts version 2.3.32 or 2.5.10.1.

References

[1] https://cwiki.apache.org/confluence/display/WW/S2-045

[2] http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html