The gist of the issue is that if you have a vulnerable configuration that doesn't lend a namespace to struts, struts will take the user-specified namespace instead. Fortunately, it takes the namespace and evaluates it as a OGNL expression, allowing you to fairly easily get remote code execution.
Working PoC (I personally tested it myself and it works)
https://github.com/jas502n/St2-057
Technical deep dive on finding the vulnerability:
https://lgtm.com/blog/apache_struts_CVE-2018-11776
Vuln writeup by Semmle (including conditions for vulnerable configurations)
https://semmle.com/news/apache-struts-CVE-2018-11776
Apache's security bulletin for the vuln:
https://cwiki.apache.org/confluence/display/WW/S2-057
Mitre CVE link:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776
A couple caveats I found while testing:
- It definitely requires a lack of namespace attribute in the classes xml
- All that is required for successful exploitation is a single proper GET request
- Doesn't work on all struts-showcase installs (2.3.15 wasn't working for some reason), making me think it may be a bit finicky
I modified the PoC listed above into a simple python function, making everything simpler:
Below is it being run against a vulnerable VM I set up
Hi!
ReplyDeleteFirst I would like to thank you for taking the time and sharing this PoC with the community. I am currently wondering if this PoC could be lightly modded in order to try it on any *.action page which runs on Apache Struts2.
I've replaced the target for:
target = sys.argv[1]
And also the 'actionChain1.action' at the end of the payload for my 'index.action' page. No luck yet.
Thanks
<3 mass!
ReplyDeleteDid you get it working on 2.3.x version. I tried on 2.3.34 without success.
ReplyDelete