Struts2 S2-029 Remote Code Execution Vulnerability

Struts2 S2-029 Remote Code Execution Vulnerability

0 × 01 Struts2 tag Library
The tag library of Struts2 uses the OGNL expression to access the object data in ActionContext. To access the variables in the ActionContext, Struts2 sets the ActionContext as the OGNL context and adds the OGNL and object to the ActionContext.
In Struts2, the following tag calls OGNL for value.
P> parameters: s: property value = "# parameters. msg"/> p>
Struts2 parses the value and runs it as an OGNL expression to obtain the msg attribute of the parameters object.
S2-029 still relies on OGNL for remote code execution.
0 × 02 trigger path
If the Struts2 web application does not filter the data submitted by the user, it is executed by Struts2 directly by setting the Struts2 tag to the attribute value.

If the page is rendered, it will be passed to OgnlValueStack for execution.

The OGNL expression is converted to the AST syntax tree. The Accessible security check is performed on each branch of the syntax tree before execution.
The previous Struts2 Remote Code Execution poc is generally performed by modifying StaticMethodAccess or creating a ProcessBuilder object.
# _ MemberAccess ["allowStaticMethodAccess"] = true
New java. lang. ProcessBuilder (new java. lang. String [] {'cat', '/etc/passwd'}). start ()
However, the OGNL in Struts-encapsulated xwork has enhanced security verification.

The final attribute of allowStaticMethodAccess.
ExcludedClasses adds a disabled list.
[Interface ognl. classResolver, class java. lang. runtime, class java. lang. classLoader, class com. opensymphony. xwork2.ActionContext, interface ognl. memberAccess, class java. lang. object, class ognl. ognlContext, class java. lang. class, class java. lang. shutdown, class java. lang. system, interface ognl. typeConverter]
ExcludedPackageNamePatterns also adds a disabled list.
[^ Java \. lang \ .. *, ^ (?! Javax \. servlet \... +) (javax \... +), ^ ognl. *]
In our tests, parameters such as allowPrivateAccess, allowProtectedAccess, excludedClasses, excludedPackageNamePatterns, acceptProperties, and excludeProperties can still be modified.

After allowPrivateAccess is modified, if a variable that matches the excludedClasses type can be found in the OGNL context, pointing excludedClasses to a new object may bypass the protection of _ memberAccess.
0 × 03 ended
As a widely used Web framework, Struts2 security issues have always emerged. In order to ensure security, you should not trust any data submitted by users in business processing, so as to filter the data securely. It is best to add a filter blacklist to the Ognl execution portal and update Struts to 2.3.25 in a timely manner.