Shulou(Shulou.com)06/01 Report--

This article is about how to analyze Apache Struts2-052 vulnerability analysis and early warning, the editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

0x00 vulnerability description

The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads.

-- Apache Struts official Security notice

Apache Struts released the latest security announcement on Sept. 5, 2017. there is a high-risk vulnerability in Apache Struts2's REST plug-in for remote code execution, which is reported by lgtm.com security researchers and is numbered CVE-2017-9805 (S2-052). There is a deserialization vulnerability in the XStream component of the Struts2 REST plug-in. When using the XStream component to deserialize the data packet in XML format, the data content is not effectively verified, so there is a security risk and can be attacked remotely.

After Struts2 enables rest-plugin and writes and sets `XStreamHandler`, it can cause this serious problem of remote command execution.

0x01 vulnerability impact surface

1. Influence surface

Identify CVE-2017-9805 as a high-risk vulnerability.

There are some limitations in the actual scene, and certain conditions need to be met. It is not a component enabled by default in struts itself.

2. Affect the version

Version 2.5.0 to 2.5.12

Version 2.3.0 to 2.3.33

3. Repair version

Struts 2.5.13

Struts 2.3.34

0x02 vulnerability details

1. Technical details

File `/ org/apache/struts2/rest/ ContentTypeInterceptor.java`

When a message in the corresponding format is received in the processing logic in struts2 rest-plugin, the corresponding `handler` that has been registered is called

The `handler.toObject` method instantiates the xml message passed in here, so it jumps to the `toObject` method of the defined `XStreamHandler`

After passing the `fromXML` method here, the instantiated malicious object is executed, resulting in malicious code execution

Then I saw that the calculator was successfully ejected.

2. Bug repair

`XStreamPermissionProvider` has been added to the new version

And rewrite the original problematic `createXStream`, add a check, and reject the execution of unsafe classes

Verification of 0x03 vulnerability exploitation

0x04 repair recommendation

1. It is officially recommended that the data type handled by the plug-in be limited to `json`

`

`

two。 Upgrade Struts to version 2.5.13 or 2.3.34

3. Perform data verification or check in `XStreamHandler`

The above is how to analyze the Apache Struts2-052 vulnerability analysis and early warning. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.