Struts2 S2-029 Remote Code Execution Vulnerability

Source: Internet
Author: User

Struts2 S2-029 Remote Code Execution Vulnerability

0 × 01 Struts2 tag Library
The tag library of Struts2 uses the OGNL expression to access the object data in ActionContext. To access the variables in the ActionContext, Struts2 sets the ActionContext as the OGNL context and adds the OGNL and object to the ActionContext.
In Struts2, the following tag calls OGNL for value.
P> parameters: s: property value = "# parameters. msg"/> p>
Struts2 parses the value and runs it as an OGNL expression to obtain the msg attribute of the parameters object.
S2-029 still relies on OGNL for remote code execution.
0 × 02 trigger path
If the Struts2 web application does not filter the data submitted by the user, it is executed by Struts2 directly by setting the Struts2 tag to the attribute value.

If the page is rendered, it will be passed to OgnlValueStack for execution.

The OGNL expression is converted to the AST syntax tree. The Accessible security check is performed on each branch of the syntax tree before execution.
The previous Struts2 Remote Code Execution poc is generally performed by modifying StaticMethodAccess or creating a ProcessBuilder object.
# _ MemberAccess ["allowStaticMethodAccess"] = true
New java. lang. ProcessBuilder (new java. lang. String [] {'cat', '/etc/passwd'}). start ()
However, the OGNL in Struts-encapsulated xwork has enhanced security verification.

The final attribute of allowStaticMethodAccess.
ExcludedClasses adds a disabled list.
[Interface ognl. classResolver, class java. lang. runtime, class java. lang. classLoader, class com. opensymphony. xwork2.ActionContext, interface ognl. memberAccess, class java. lang. object, class ognl. ognlContext, class java. lang. class, class java. lang. shutdown, class java. lang. system, interface ognl. typeConverter]
ExcludedPackageNamePatterns also adds a disabled list.
[^ Java \. lang \ .. *, ^ (?! Javax \. servlet \... +) (javax \... +), ^ ognl. *]
In our tests, parameters such as allowPrivateAccess, allowProtectedAccess, excludedClasses, excludedPackageNamePatterns, acceptProperties, and excludeProperties can still be modified.

After allowPrivateAccess is modified, if a variable that matches the excludedClasses type can be found in the OGNL context, pointing excludedClasses to a new object may bypass the protection of _ memberAccess.
0 × 03 ended
As a widely used Web framework, Struts2 security issues have always emerged. In order to ensure security, you should not trust any data submitted by users in business processing, so as to filter the data securely. It is best to add a filter blacklist to the Ognl execution portal and update Struts to 2.3.25 in a timely manner.
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.