The Model-View-Framework Apache Struts2, an open source and free framework for simplifying the creation of web applications in Java has been recently patched to mitigate a zero day vulnerability.

Apache Struts2 is been affected with a new vulnerability which is being actively exploited in the wild. The vulnerability is a possible Remote Code Execution which exists while performing file upload via Jakarta Multipart parser, and has been tracked using CVE-2017-5638.

Proof of Concept:
An example of a crafted post request used by attackers to perform remote code execution on Apache Struts is shown below. Here a simple ‘whoami‘ command will be executed on the server and attackers can get to know what user the service is running. If the service is running by a super user, attackers can execute more sophisticated commands on the server.

Below is an example of post request with more dangerous commands which might starts with disabling the server’s firewall and stopping iptables to downloading a payload from a malicious website and triggering the payload on the server, also a simple ‘rm -rf *‘ command can bring enough damage on the server.

The RCE vulnerability caused by the improper validation of ‘Content-Type‘ value in the post request while uploading files to server, which is handled by Jakarta Multipart parser. This vulnerability is allowing attackers to take control of the affected servers, and can cause lot of damage using the exploit code shown above.

Downloading a malicious payload from a web server and execution of the payload as a super user. The payloads have varied but include an IRC bouncer, a DoS bot, rootkits. Many of the websites have been already taken down with malware distribution, and the files which are being copied will make sure that the firewall will be disabled every time the server boots. So patch it asap.

The working exploit code can be found here

Apache Struts versions 2.3.5 - 2.3.31 and  2.5 - 2.5.10

Upgrade to Apache Struts version 2.3.32 or 2.5.11, or Implement a Servlet filter which will validate Content-Type and throw away request with suspicious values not matching multipart/form-data.

Kashinath T
Security Research Engineer

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn
Loading Facebook Comments ...

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>