Struts2 cve-2014-0050 (DoS), cve-2014-0094 (ClassLoader manipulation) s2-20 DoS attacks and ClassLoader manipulation

Catalog

1 . Description2. Effected Scope3. ExploitAnalysis4. Principle of Vulnerability5. Patch Fix

1. Description

0x1: Related Basics

object is the underlying class of Java, and all class-generated objects inherit all the properties and methods of object, so the current action, whatever the code, must have an object-GetClass method, which returns a class object, The class object is bound to have a getClassLoader method, and ultimately, each action can

getclass (). getClassLoader () //

Each class will have its own classloader in the JRE boot. Web container in order to facilitate the management of the boot process, usually have to implement a custom classloader, in fact, each container classloader are implemented by themselves, the environment will inevitably be different

0x2: root cause of vulnerability

Apache Struts 2.0.0-2.3.16 version of the default upload mechanism is based on the Commons FileUpload 1.3 version, its additional parametersinterceptor allows access to the ' class ' parameter ( This parameter maps directly to the GetClass () method), which causes the attacker to control the ClassLoader and modify the properties in the ClassLoader, which can be derived from different attack vectors depending on the change of the ClassLoader attribute.

0x3:classloader

After a Java program, it is not a CS or BS application, is a complete Java application organized by several. class files, when the program is run, it calls an entry function of the program to invoke the relevant functions of the system, and these functions are encapsulated in different class files, so it is often necessary to call from this class file another class file method, a system exception is thrown if the other file does not exist. When the program starts, it does not load all the class files used by the program at once, but instead dynamically loads a class file into memory according to the needs of the program through the Java class loading mechanism (ClassLoader), so that only the class file is loaded into memory To be referenced by the other class. So ClassLoader is used to dynamically load class files into memory.

0x4:java three ClassLoader provided by default

1. BootStrap ClassLoader: The startup ClassLoader is the topmost class loader in the Java class load hierarchy and is responsible for loading the core class libraries in the JDK, such as: Rt.jar, Resources.jar, Charsets.jar, etc., can be obtained by the following program where the ClassLoader loaded the relevant jar or class file/*url[] urls = Sun.misc.Launcher.getBootstrapClassPath (). Geturls ();  for (int i = 0; i < urls.length; i++) {System.out.println (Urls[i].toexternalform ()); }  */The above results are also found by finding Sun.boot.class. Path This system property learns that/*System.out.println (System.getproperty ("Sun.boot.class.path"));*/2. Extension ClassLoader: The extension class loader is responsible for loading the Java Extension Class library, which is loaded by default Java_home/jre/lib/ext/all jars in the3. App ClassLoader: The system ClassLoader is responsible for loading all jar and class files in the application Classpath directory

In addition to the three classloader provided by the Java default, users can also define their own classloader as needed. These custom ClassLoader must inherit from the Java.lang.ClassLoader class and include two additional ClassLoader (Extension ClassLoader and app ClassLoader) provided by Java , but Bootstrap ClassLoader does not inherit from ClassLoader, because it is not an ordinary Java class, the underlying is written in C + +, embedded in the JVM kernel, when the JVM starts, Bootstrap ClassLoader also with the boot, responsible for loading the core class library, and constructs the extension ClassLoader and the app ClassLoader class loader

Relevant Link:

http://help.aliyun.com/knowledge_detail.htm?spm=5176.7114037.1996646101.1.zttc6m&categoryid= 8314968&knowledgeid=5974950&pos=1http://www.inbreak.net/archives/526http://  blog.csdn.net/xyang81/article/details/7292380

2. Effected Scope

2.0. 0 2.3.  -

3. Exploit Analysis

0x1: dos caused by class.classLoader.resources.dirContext.docBase assignment

1 . Docbase This parameter is tomcat for the application directory mapping path configuration 2 if the assigned address does not exist, it will cause the overall parsing of Tomcat to fail. 3. By modifying the pollution ClassLoader, you can continue to make changes to the Docbase attribute active during the current application process (Tomcat Java process) life cycle for DOS purposes

By OGNLN parsing, assigning a nonexistent address to the current application directory

http://localhost:8080/s2-xx/index.jsphttp://localhost:8080/s2-xx/login.action? class.classloader.resources.dircontext.docbase= no path exists

0x2: Remote Code execution

Still this parameter, since can point to arbitrary address, if point to address mapping directory, is the attacker controllable directory, that is the remote code execution, similar to PHP CMS Vulnerability Common local variable coverage caused the global config hijack, To bypass the login verification logic by hijacking the user's Web site's configuration parameters into a hacker-controlled database
The Docbase parameter has three ways to deploy the address path

1 . Relative path: WebApps directory root with Tomcat directory 2. Absolute path: For example: C://3

The UNC mode here is the same as the allow_url_include, Allow_url_fopen nature in the PHP cms.

http://localhost:8080/s2-xx/login.action?class.classloader.resources.dircontext.docbase=  //

Relevant Link:

http://wiki.apache.org/tomcat/faq/windows#q6http://drops.wooyun.org/papers/1377 

4. Principle of vulnerability
5. Patch Fix

0x1:upgrade struts2

2.3. 16.1  is  2.3. 16.1 1.3. 1 " class "  in struts-default. XML configuration of Parametersinterceptor.

0x2:workaround:upgrade Commons-fileupload

The fixed commons-fileupload library is a drop-in replacement for the vulnerable version. Deployed applications can be hardened by replacing the Commons-fileupload jar file in Web-inf/lib with the updated jar. For Maven
Based Struts 2 projects, the following dependency needs to be added:
Replace Commons-fileupload and restart STRUTS2 application for repair

<dependency>    <groupId>commons-fileupload</groupId>    <artifactId> commons-fileupload</artifactid>    <version>1.3.  1</version></dependency>

0x3:workaround:exclude ' class ' parameter

Simple add ' ^class\.* ' to the list of excludeparams as below
STRUTS2 's vulnerability is basically related to the OGNL and Actoin parameter resolution process, so configuring the parameter interceptor in Struts.xml can effectively intercept the attack.

<interceptor-ref name="params">  <param name="  Excludeparams">^class\. *,^dojo\. *,^struts\. *,^session\. *,^request\. *,^application\. *,^servlet (request| Response) \. *,^parameters\. *,^action:.*,^method:.*</param></interceptor-ref>

Relevant Link:

http://Struts.apache.org/docs/s2-020.html?spm=5176.775974950.2.9.ie55ik

Copyright (c) Little5ann All rights reserved

Struts2 cve-2014-0050 (DoS), cve-2014-0094 (ClassLoader manipulation) s2-20 DoS attacks and ClassLoader manipulation