STRUTS2 Recent volume Production Vulnerability Analysis __struts

This may be due to a communication problem, which led to an STRUTS2 official understanding of the S2-012 vulnerability name I submitted, a vulnerability described as an example application of struts2, but Struts2 was patched according to the framework. And this s2-012 unexpectedly caused a series of murders.
In fact, send this article, I am very annoyed, who has a 0day hand, covering a half-day, the results are also open to others, will be very annoyed. The s2-012 loophole I released in Xcon last year actually struts2 a similar loophole. In struts, the user input that the framework receives, in addition to the parameters, values, and other places, such as file names. This vulnerability, is struts2 to the URL in the file name parsing, resulting in OGNL code execution.
There are some technical details in between, and the following is an analysis.
Enableognlevalexpression's scam.
See this word from the loophole bulletin, it is easy to think that struts2 ognl expression to kill, can choose to end everything. In fact, the prohibition is one of the ognl of the way, and this invocation, is only called here in s2-013.
Struts2 has another piece of martial code that is really defending this loophole.

Org.apache.struts2.views.util.DefaultUrlHelper This class:

Originally written, the code goes to Translateandencode will invoke OGNL execution, its logic includes OGNL translate, and UrlEncode these two functions.

    Private String buildparametersubstring (string name, String value) {
        new StringBuilder ();
        Builder.append (Translateandencode (name));
        Builder.append (' = ');
        Builder.append (Translateandencode (value));
         return builder.tostring ();
    }

After the patch, here is changed to just UrlEncode, no longer do ognl execution. This has nothing to do with enableognlevalexpression.

    Private String buildparametersubstring (string name, String value) {
        new StringBuilder ();
        Builder.append (Encode (name));
        Builder.append (' = ');
        Builder.append (Encode (value));
         return builder.tostring ();
    }

I did not look at the content, only to see the changes in the name of the method, I feel can be washed to sleep, do not have to follow up.
Allowstaticmethodaccess scam
Allowstaticmethodaccess is the struts2 of the POC standard, since the beginning of the first POC, has been there.
On May 27, 2013, that is, a few days ago, we can see for themselves svnlog,struts2 did a very wretched thing, the following code deleted:

     Public void setallowstaticmethodaccess (boolean allowstaticmethodaccess) {This
        . allowstaticmethodaccess = allowstaticmethodaccess;
    }

This action leads directly to a result, later executed in the POC of OGNL

#_memberAccess ["Allowstaticmethodaccess"]=true

There will be an error, because there is no set method.
There is an end to all the meaning, just as there are new OGNL loopholes, you can not write this sentence. But I can get around this thing, and here's an example of a s2-015 vulnerability.
Struts2 Frame s2-015 Spit Groove
This loophole, which was published, in fact, released a total of several vulnerabilities, including s2-015, and s2-012. Specific address in

Https://communities.coverity.com/blogs/security/2013/05/29/struts2-remote-code-execution-via-ognl-injection

Very detailed, some colleagues think he is better than me analysis, so I do not write translation, we see.
Later thought carefully, guess the foreigner may encounter s2-012, led to the release of the article, of course, this is only my personal yy.
The Publisher hands 2 0day, unfortunately, I also have these two 0day, last year Xcon released a, and then submitted to the official, but he did not know, because the official until this year to publicly repair.
A few days ago, the official suddenly made a public repair of my release of a 0day, the foreigner saw s2-012, may also be very annoyed, because this loophole and his analysis of the 0day is exactly the same, so rage and the other 0day sent together to form an article. As you can see, the publisher was released directly from the blog before the official received the message to start patching.
The vulnerability of the trigger code to display the form and s2-012 very much like, so understand the s2-012, can be associated with this 0day, it is easy to pass the test out, I was also seen similar use, the test was found. Believe that there are many loopholes that are found in similar cases. Maybe not even in our hands, but you are also very annoyed.
S2-015 's POC is in the foreigner's article as follows:

Http://127.0.0.1:8080/struts2-blank/example/$%7b%23context[' Xwork. Methodaccessor.denymethodexecution ']=%21%28%23_memberaccess[' allowstaticmethodaccess ']=true%29,%28@ Java.lang.runtime@getruntime%28%29%29.exec%28 ' touch%20aaa '%29.waitfor%28%29%7d.action/

Due to the presence of #_memberaccess["allowstaticmethodaccess"]=true in the POC, the publisher mentions that upgrading to s2-014 can be mitigated.
In fact, the publisher misunderstood, but STRUTS2 developers did not misunderstand, so hurriedly launched the s2-015.
But if you do not speak out, you will still find that the POC in the s2-014 after the fact can not play, as the Foreigner article said, was relieved. How do you play that?
OGNL's POC has a little trick.
The implication of this thing is that the static method is allowed to execute, and the official prohibition of modifying this setting means that static methods are never executed.
Because the "@java. Lang.runtime@getruntime" In the POC is actually a static method, it is important to turn on the static, but this is just a way of writing Java code.
We can use another notation to circumvent this restriction.

By empty Prodigal Heart http://www.inbreak.net Weibo: http://t.qq.com/javasecurity
(new java.lang.ProcessBuilder (' Calc ')). Start ()

In this code, no static method is invoked, just a new object, and then one of the dynamic methods is executed, so it is not necessary to allowstaticmethodaccess the same effect as executing the system command.
This little trick can do a lot of things.
1, can bypass certain WAF, I do not tell you are which, lest you take to cheat the prize.
2, you can pave the road for new OGNL code, to avoid 0day come, we actually because this will not write PoC.
Repair of s2-015
To put it simply, there is no research value here, and this patch, the official use of the name limit action, can only

[a-z]*[a-z]*[0-9]*[.\-_!/]*

Summarizes the OGNL expression input points that struts2 has seen
1, the request parameter name
2. Request parameter Value
3. Request filename
4, Request's cookie name
5, the body of respose
Miserable, as if the basic HTTP head out of the problem, there is not much left. A popular framework that allows remote code execution in so many places is really hard for struts developers.
Also ask the students who use struts, how you've been over the years.
In Alibaba, I often analyze struts2 vulnerabilities and then send a report, sometimes 0day, it will be a patch for each project, and finally wait until the official release patch, we reassess the need to update back. Leads us to often persuade developers not to use this framework, especially when the initial review of the project, found Struts2, abhorrence, said a lot of words used to scare developers.
In this trend, I have no more luck with this thing, decided to launch a virtual patch. As for Ali's real plan, I certainly can't tell you, but can talk about ideas.
Unified Defence Programme
Upgrade to the latest version first.
In the ognl of this language, add the Intercept code, and once the dangerous call is found, kill it directly.
The code principle is, before OGNL executes, make a judgment to the statement, see the code that has blacklist, kill. In theory, developers would not theoretically write their own ognl for manipulating files, executing commands, and so on, either by taking a value from the session or by taking a value on the page.
Overwrite the Ognl.ognl class and add the following code:

     Public StaticObject parseexpression (String expression)throwsognlexception {//Hackedbykxlzx by Empty prodigal Heart http://www.inbreak.net Weibo: http://t.qq.com/javasecurity//...
        The following is a list of white lists, please search your own Java dangerous code, then add a list, it will not, find a few webshell to see, I certainly will not be used in the list of Ali to tell you.
        String evalmethod[] = {"Runtime", "New File"}; String methodstring =NULL; methodstring = Expression.tolowercase (); for(inti = 0; i < evalmethod.length; i++) {if(Methodstring.indexof (Evalmethod[i].tolowercase ()) >-1) {Log.securitylog (Log.getinfo () + "| OGNL Executing malicious statement | "+ methodstring +" | See this message, please contact Security engineer ...
            "," 4700012@qq.com "); }
        }Try{Ognlparser parser =NewOgnlparser (NewStringReader (expression)); returnParser.toplevelexpression (); }Catch(ParseException e) {Throw NewExpressionsyntaxexception (expression, e); }Catch(Tokenmgrerror e) {Throw NewExpressionsyntaxexception (expression, e); }
    }

Why to join QQ mailbox. The specific reason does not say, only said the result, the result is, my mailbox can receive 0DAY, if you really understand, guess the reason.