Shulou(Shulou.com)05/31 Report--

This article analyzes "RCE vulnerability instance Analysis of two versions of Struts2-057". The content is detailed and easy to understand, "Struts2-057 two versions of RCE vulnerability example analysis" interested friends can follow the editor's ideas slowly in-depth to read, I hope that after reading can be helpful to everyone. Let's go deep into the knowledge of "RCE vulnerability instance Analysis of two versions of Struts2-057" with the editor.

Preface

On August 22nd, Apache Strust2 issued the latest security announcement that Apache Struts2 has a high-risk vulnerability in remote code execution (S2-057/CVE-2018-11776), which was discovered by Man YueMo, a security researcher at Semmle Security Research team.

The flaw is due to the fact that when the namespace function is used in the Struts2 development framework to define the XML configuration, the namespace value is not set and the wildcard namespace is not set or used in the upper action configuration (Action Configuration), which may lead to remote code execution. Similarly, when the url tag does not set value and action values and the upper action is not set or the wildcard namespace is used, it may also lead to remote code execution. After the author's self-built environment successfully reproduces the vulnerability and can execute the command echo, there is what you want at the end of the article!

Vulnerability exploitation

The environment built by the author is Strust2 version 2.3.20 and Strust2 version 2.3.34. Vulnerability exploitation is roughly divided into three ways: numerical calculation, pop-up calculator and command echo.

2.1 numerical calculation

The numerical calculation is relatively simple. If you specify% {100,200} on the URL, the jump can occur and the calculated results can be obtained.

2.2 pop-up calculator

Version 2.3.20 of POC is as follows:

The POC referenced in version 2.3.3 4 is as follows:

2.3 Command echo

Both versions use com.opensymphony.xwork2.dispatcher.HttpServletResponse objects to print the echo data after the execution of the command.

Version 2.3.20 of POC is as follows:

Version 2.3.34 of POC is as follows:

The effect after the attack is as follows

Loophole analysis

Before analyzing the vulnerability, you need to configure the struts.xml file, which is the core configuration file of struts2. Most of the time, you need to control the configuration here.

A total of two points should be noted. The first must be configured with struts.mapper.alwaysSelectFullNamespace = true, otherwise the vulnerability cannot be triggered. The purpose of this configuration is to set whether to select "redirectAction or chain" for the type returned by the result tag at the second location before the last slash. Only the value of these two configuration options is to forward or redirect the action. For more information about type, please see the following figure.

Finish the configuration and start the dynamic analysis. The vulnerability is located in

Struts2murcore.jarbadouxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The value of the member this.namespace comes from the getNamespace () method, which returns the URI string through getUriFromActionMapping ().

The value obtained through getUriFromActionMapping is assigned to the tmpLocation variable, and then the expression enters the setLocation method

The ServletActionResult is then called through the super.execute method, and the conditionalParse method is followed up in the body of the execute method, in which the key method of ONGL execution, translateVariables, is called.

The obtained Param value is passed into the translateVariables () method, which eventually results in the execution of the OGNL expression in OnglTextPaser.

After the calculator is popped up, the value of lastFinalLocation is the handle after the current execution. This value is used as the action address in response to the jump, that is, the URI that appears in the address bar after the calculator is popped up in the browser.

So much for the analysis of the pop-up calculator. Next, let's take a look at the analysis of the echo result based on the command execution. Basically, the process is the same as above, except that the value returned by lastFinalLocation is NULL, which leads to the jump of not doing 302 after submission, which is still the current action, and the returned value is 200.

After knowing the principle, my colleague implemented the exp detection script with python. This script is only for study and research.

Defensive measures

1. Upgrade the framework version to the latest official version

two。 For Web applications, try to ensure the security of the code

3. For the IDS rule level, the status code returned by both the numerical calculation and the bullet calculator is 302, and the Location jump field contains a characteristic handle string; if the command echoes the returned status code, and the command result is output

This is the end of the analysis of the two versions of RCE vulnerabilities in Struts2-057. I hope the above content can improve everyone. If you want to learn more knowledge, please pay more attention to the editor's updates. Thank you for following the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.