Analysis of STRUTS2 s2-052 Vulnerability

0x00 Debugging Environment Setup

Using the official rest-sample, download the 2.5.12 version of the source Https://github.com/apache/struts/archive/STRUTS_2_5_12.zip, Then will apps below the Rest-showcase source code to take off.

Create a new Maven project in Eclipse, Web.xml,pom.xml and Struts.xml are as follows:

Pom.xml

<!--struts2 dependency-->
<dependency>
<groupId>org.apache.struts</groupId>
< artifactid>struts2-core</artifactid>
<version>2.5.12</version>
</dependency >
<!--struts restful dependency-->
<dependency>
<groupid>org.apache.struts</groupid >
<artifactId>struts2-convention-plugin</artifactId>
<version>2.5.12</ version>
</dependency>
<dependency>
<groupid>org.apache.struts</groupid >
<artifactId>struts2-rest-plugin</artifactId>
<version>2.5.12</version>
</dependency>

Struts.xml (src/main/resources/)

<?xml version= "1.0" encoding= "UTF-8"?> <!
DOCTYPE struts public
"-//apache Software foundation//dtd struts Configuration 2.5//en"
"http:// Struts.apache.org/dtds/struts-2.5.dtd ">
<struts>
<!--Overwrite Convention-->
< Constant Name= "Struts.convention.action.suffix" value= "Controller"/> <constant name=
" Struts.convention.action.mapAllMatches "value=" true "/>
<constant name=" Struts.convention.default.parent.package "value=" Rest-default "/>
<constant name=" Struts.convention.package.locators "value=" action "/>
<constant name=" Struts.convention.result.path " Value= "/web-inf/"/>
</struts>

Other action files, JSP files copied to the MAVEN project of the corresponding directory can be, right to start the project, and then the browser can access to: http://127.0.0.1:8080/struts2-052/orders, the debugging environment to build success.

0x01 Vulnerability Analysis

According to the vulnerability Discovery article https://lgtm.com/blog/apache_struts_CVE-2017-9805, there is a problem with something called ContentHandler.

Search for this string in the 2.5.12 source code:

The Struts-plugin.xml is configured with a lot of beans, which are sorted by Content-type and uniquely specify a specific handler. These handler all implement the Contenttypehandler interface.

Description from API Doc

Handles transferring content to and from objects for a specific content type

See, this contenttypehandler is actually according to the difference of Content-type, the request data is dropped to the specified subclass to deal with, the concrete is how to deal with, take Xstreamhandler as example:

This is actually the transformation between XML and Java objects, the more professional vocabulary is called "Marshal" and "Unmarshal." From the previous example, this situation led to the execution of the command is not twice, the JSON conversion library, such as Fastjson,jackson have a vulnerability,

This time it was replaced with an object conversion of XML in Struts2. In fact, the Xstreamhandler Toobject method triggers the vulnerability, we will first in this line of code breakpoints, after the implementation of the POC, the breakpoint is found to be effective.

Let's take a look at the call function process information:

In restful mode, the route to the action is the code that uses the rest series, which is the Xstreamhandler method of the Contenttypeinterceptor class invocation. Let's take a look at the Intercept method in the upper code:

First of all, judging from the HttpServletRequest contenttype, can be very clear to see, through the contenttype of the request of the byte stream to the corresponding handler to deal with. When ContentType for Application/xml,

It was naturally distributed to the class of Xstreamhandler, which did not perform any validation and was directly converted. We can use the MARSSHALSEC tool to generate payload.

(1) Download source https://github.com/mbechler/marshalsec

(2) Maven compiles mvn clean package-dskiptests

(3) Go to the target directory to find the jar file, execute:

JAVA-CP Marshalsec-0.0.1-snapshot-all.jar marshalsec. XStream ImageIO "Calc" > 1.txt

The XML is then sent to Struts2-rest, of course, contenttype to be set to XML, and then it can be triggered. When there are spaces in the command, submit multiple <string> nodes.

0x02 something

The process of how to execute from XML to command is actually a paper,https://github.com/mbechler/marshalsec/blob/master/of the Moritz Bechler great God Marshalsec.pdf, this paper is released with Marshalsec tools.

Here only analyze the Struts2 of the cause of the vulnerability, about the Xml->rce process, you can carefully read this paper for in-depth understanding.

Reference

https://lgtm.com/blog/apache_struts_CVE-2017-9805