Shulou(Shulou.com)05/31 Report--

This article is about how to carry out the analysis of Apache Struts 2 remote code execution vulnerability CVE-2018-11776. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article. Let's take a look at it.

First, the background of loopholes

The Apache Software Foundation announced the latest remote code execution vulnerability in Apache Struts, a mainstream open source framework for developing Web applications using the Java programming language. Applications currently developed with partial versions of Apache Struts may be vulnerable. The CVE number for this vulnerability is CVE-2018-11776.

Second, vulnerability summary who should read the impact of all Struts 2 developers and users vulnerabilities possible remote code execution uses no namespace and simultaneous results when the above operation has no or no wildcard namespace. The possibility of using url without tags set by value and action is the same. The highest security level critical recommendation is to upgrade to Struts 2.3.35 or Struts 2.5.17 affected software Struts 2.3-Struts 2.3.34 Magazine Struts 2.5-Struts 2.5.16 unsupported Struts version may also be affected reporter from the Semmle security research team Man Yue Mo.CVE identifier CVE-2018-11776 III, build the environment

Modify the struts core configuration file struts-actionchaining.xml, without assigning a value to namespace, and configure the redirect action.

In ActionChain1, add the debugging method of execute for verification.

The http://localhost:8080/struts2-showcase/${(333+333)}/actionChain1.action Magi OGNL expression was executed smoothly.

Execute to the execute method.

Jumped to the specified action page register2.

Enter a specific payload, trigger the vulnerability, and pop up the calculator.

IV. Trigger conditions

1. Use the Apache Struts version in the range of Struts 2.3-Struts 2.3.34 Struts Struts 2.5-Struts 2.5.16.

two。 When the struts core configures the default value of "namespace" in the upper action of XML, or when the "namespace" wildcard is ("/ *"), it may lead to remote code execution vulnerabilities for web applications.

3. Configure "struts.mapper.alwaysSelectFullNamespace = true" in struts, and configure this property to see if "NameSpace" is selected anywhere before the last slash.

4. Configure the type returned by the result tag in the struts core configuration XML file to select "type= redirectAction" to redirect the user to a defined good action.

V. loophole analysis

"DefaultActionMapper" calls "parseNameAndNamespace ()" to parse "namenamespace" and "name".

When the value of alwaysSelectFullNamespace is true, the value of namespace can be controlled by uri.

After executing the action, ServletActionRedirectResult calls execute () to redirect the Result, redefines namespace and name through ActionMapper.getUriFromActionMapping (), and then uses setLocation () to put the location with namespace into the parent class StrutsResultSupport.

After the parent class StrutsResultSupport gets the location, it calls the evaluate method of OgnlTextParser through TextParseUtil.translateVariables (), which is the statement that ultimately interprets the Ognl expression, resulting in parsing and executing the OGNL expression in url.

VI. Suggestions for restoration

It is recommended to upgrade Apache Struts to the latest version 2.3.35 or the latest version 2.5.17 of Apache Struts. If you upgrade directly, you can officially fix the vulnerability, and it is expected that there will be no backward incompatibility.

The above is how to analyze the Apache Struts 2 remote code execution vulnerability CVE-2018-11776. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.