Apache Struts Web Application Framework Critical Remote Code Execution Vulnerability (CVE-2018-11776)

A critical remote code execution vulnerability affecting popular web application framework Apache Struts has been discovered. The vulnerability is in the core of the application and exists due to insufficient validation of user-provided untrusted inputs under certain configurations. This vulnerability is identified by CVE-2018-11776.

This Remote Code Execution vulnerability poses a huge risk as the framework is widely used for designing publicly-accessible web applications by enterprises. Many Organisations like Lockheed Martin, the IRS, Citigroup, Vodafone, Virgin Atlantic, Reader’s Digest, Office Depot and Showtime will be affected to this critical vulnerability. According to the statistics from researcher at semmle, “In 2017 at least 65 percent of the Fortune 100 companies relied on web applications built with the Apache Struts framework. Also, it is estimated that 57 percent continue to expand their use of Apache Struts this year, by downloading vulnerable versions of the software”. The researcher also adds, “This vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers. On top of that, the weakness is related to the Struts OGNL language, which attackers are very familiar with, and are known to have been exploited in the past. On the whole, this is more critical than the highly critical Struts RCE vulnerability discovered and announced last September”.

Technical Details:

Struts uses various result types as described here. Results can be defined either in the Struts configuration file or in Java code. As of now, there are 3 Struts result types discovered that can be considered unsafe when used without a namespace. The following three result types have been found to be vulnerable:

  • Redirect action : This redirects the visitor to a different URL.
  • Action chaining: This chains multiple actions into a defined sequence or workflow.
  • Postback result:  This forwards the current request parameters as a form which immediately submits a postback to the specified destination chain or postback.

A vulnerable application can be easily attacked by an attacker by injecting own namespace as a parameter in an HTTP request. The value of that parameter will be insufficiently validated by the Struts framework and can be any OGNL string.

As an example, let’s take look at the code from ‘ServletActionRedirectResult.java’. The untrusted input from the call to ‘getNamespace’ flows into the argument of the constructor of ‘ActionMapping’ via the variable ‘namespace’. Next ‘getUriFromActionMapping’ returns a URL string that uses namespace from the constructed ‘ActionMapping’.

This then flows into the argument of ‘setLocation’ via the variable ‘tmpLocation’. ‘setLocation’ then set the field location in the superclass ‘StrutsResultSupport’.

The code then calls execute() on ServletActionResult which passes the location field to a call to ‘conditionalParse’.

The ‘conditionalParse’ then passes location into ‘translateVariables’, which evaluates param as an OGNL expression.

Thus, when the namespace parameter is not set in a ‘ServletActionRedirectResult’ the code takes the namespace from the ‘ActionProxy’ and then gets evaluated as an OGNL expression. This can allow an attacker to craft input so that it gets evaluated as an OGNL expression, which allows the attacker to run arbitrary code on the server.

Typical PoC for CVE-2018-11776:

A simple PoC to fetch the contents of ‘/etc/passwd‘ from target server running vulnerable Apache Struts on Linux is as below:

Crafted Request:
${(#_memberAccess["allowStaticMethodAccess"]=true,#a=@java.lang.Runtime@getRuntime().exec('cat /etc/passwd').getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[51020],#c.read(#d),#sbtest=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#sbtest.println(#d),#sbtest.close())}/actionChain1.action

When the above-crafted request sent to vulnerable Apache Struts, the data gets evaluated as an OGNL expression which internally executes 'cat /etc/passwd' command on the server and the result of the executed command is sent back as a response as shown in the below diagram. Thus an attacker can potentially take up complete control over the system by executing malicious commands.

Affected Versions:
All web applications that use Apache Struts versions 2.3 through 2.3.34 and 2.5 through 2.5.16 are affected. Even unsupported old Apache Struts versions are also potentially vulnerable to this flaw.

As this vulnerability affects the core of Struts, multiple separate attack vectors can be present. At the moment, the researcher has described two such vectors. For the application to be vulnerable both of these conditions should hold.
– The ‘alwaysSelectFullNamespace’ flag is set to true in the Struts configuration. It is worth noting that this case is true if an application uses the Struts Convention plugin.
– The application uses actions that are configured without specifying a namespace, or with a wildcard namespace (e.g. “/*”). This applies to actions and namespaces specified in the Struts configuration file (e.g. <action namespace = “main”>), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin.

One of things to note here is, even if the application is not vulnerable currently a favourable change in Struts configuration file may cause the application to be vulnerable.

Upgrade to Apache Struts versions 2.3.35 or 2.5.17
An advisory giving solution details is available here. This vulnerability has been addressed in Struts versions 2.3.35 and 2.5.17

NOTE: This is a temporary workaround. Please apply the above solution as early as possible.
1) Make sure that ‘namespace’ is set, if applicable, for all defined results in underlying configurations.
2) Also, make sure that value or action for all URL tags in JSPs are set.

Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments