Catalog
1 . Description2. Effected Scope3. ExploitAnalysis4. Principle of Vulnerability5. Patch Fix
1. Description
OGNL provides, among other features, extensive expression evaluation capabilities.
A request that included a specially crafted request parameter could is used to inject arbitrary OGNL code in a property, Afterward used as request parameter of a redirect address, which would cause a further evaluation.
OGNL evaluation was already addressed in s2-003 and s2-005 and s2-009, but since it involved just the parameter ' s name, I T turned out that the resulting fixes based on whitelisting acceptable parameter names and denying evaluation of the Expre Ssion contained in parameter names, closed the vulnerability only partially.
The second evaluation happens when redirect result reads it from the stack and uses the previously injected code as Redire CT parameter.
This lets malicious users put arbitrary OGNL statements to any unsanitized String variable exposed by an action and has It evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL Li Brary protections.
2. Effected Scope
2.0. 0 2.3. -
3. Exploit Analysis
0x1:poc
http://localhost:8080/s2-xx/login.action?skillname=%{(#_memberAccess [& #39; allowstaticmethodaccess& #39;] =true) (#context [& #39; xwork. methodaccessor.denymethodexecution& #39;] =false) #[email protected] @getResponse (). Getwriter (), #hackedbykxlzx. println (& #39; hacked by kxlzx& #39;), # Hackedbykxlzx.close ())}
Relevant Link:
http://struts.apache.org/docs/s2-012.html
4. Principle of vulnerability
The ONGL expression can be referenced in truts2 by ${express} or%{express}, and when the configuration of an action has ${input} or%{input} and input is from an external input, the input is assigned a value of%{exp}. Resulting in arbitrary code execution
5. Patch Fix
0x1:upgrade struts2
is 2.3. 14.1 , which contains the corrected OGNL and Xwork library. // The Ognlutil class is changed to deny eval expressions by default.
Relevant Link:
Copyright (c) Little5ann All rights reserved
Struts2 cve-2013-1965 s2-012 Showcase App Vulnerability allows remote command execution