Shulou(Shulou.com)05/31 Report--

This article will explain in detail the analysis of Struts2-052 vulnerability examples for everyone. The content of the article is of high quality. Therefore, Xiaobian shares it with you as a reference. I hope that after reading this article, you will have a certain understanding of relevant knowledge.

preface

On September 5, 2017, a serious vulnerability discovered by security researchers at lgtm.com, a foreign security research organization, was officially released in Apache Struts 2. The vulnerability number is CVE-2017-9805 (S2-052). Attackers can pass in carefully constructed xml data and execute remote commands.

There is a deserialization vulnerability in the XStream component of Struts2 REST plug-in. When using the XStream component to deserialize a data packet in XML format, the data content is not effectively verified. There is a security risk and can be executed by remote commands.

Leveraging conditions: Use REST plug-ins and be within affected versions.

Exploitation: Attackers construct malicious packets for remote exploitation.

Affected versions: Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12

debug environment setup

1) Download the official source code:

git clone https://github.com/apache/Struts.git

2) Switch to Branch 2.5.12:

git checkout STRUTS_2_5_12

3)Copy the src/apps/rest-showcase folder and create a new project

4) Import the maven project with IDEA or eclipse

5)debug mode can be run after a pleasant debugging

Analysis of vulnerability principle

According to the official announcement, the vulnerability appears in the XstreamHandler class, in the struts2-rest-plugin-2.5.12.jar package.

So look at this class, which has a toObject method that deserializes xml content.

Make a breakpoint inside this method and then construct the packet

After sending the data packet, it will jump to the breakpoint. At this time, you can see that ContentTypeInterceptor calls the method in the upper call stack.

The intercept method in the ContentTypeInterceptor class generates a corresponding object according to the value of the Content-Type passed in. Since we pass in application/xml, we generate an xml processing object XStreamHandler accordingly.

Continuing with f5, we see the function unmarshal performing deserialization, which executes without data security checks, causing remote command execution.

Then enter the unmarshal function, continue debugging, AbstractReflectionConverter will parse the xml tags and values we submitted step by step, and finally call the code in poc

vulnerability recurrence

Click Submit on the page http://localhost:8080//struts2-rest-showcase/orders/3/edit,

Intercepts HTTP requests and changes the request body to POC Payload, while changing the Content-Type Header to application/xml.

Payload is:

0 false 0 /Applications/Calculator.app/Contents/MacOS/Calculator false java.lang.ProcessBuilder start foo foo false 0 0 false false 0

Calculator pops up after sending request

patch

The official patch, the official fix, is mainly to whitelist the data in xml, put Collection and Map, some basic classes, time classes in the whitelist, so as to prevent XStream deserialization process into some harmful classes

Repair suggestions

Version 2.3.0 to 2.3.33 Upgrade to Struts version 2.3.34

Version 2.5.0 to 2.5.12 Upgrade to Struts version 2.5.13

About Struts2-052 vulnerability example analysis shared here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.