The patching scenario appears.
http://struts.apache.org/development/2.x/docs/security-bulletins.html-(announcement)
The official security bulletin gives a number and a brief introduction, "A vulnerability, present in the Includeparams attribute of the URL and Anchor Tag, allows remote command Execution ".
But it doesn't say the principle, nor does it release any patches.
Analysis:
In fact, this time STRUTS2 official issued a total of two loopholes, there is a call s2-012, but this loophole, to see the topic, should be I before the "Xcon2012 attack Java WEB" has been burst, so this article only say another.
STRUTS2 official development silly, such as the loophole, or the official do not send, since issued, should be patched, but the official only sent this paragraph, for details, ordinary users are not open to access.
From this paragraph you can summarize a few points:
1. Unpatched Remote Code Execution vulnerability
2, the Includeparams parameter in the Urltag has appeared the problem.
Only according to these two points, familiar with the struts2 operation mechanism and the previous loophole principle of the people, can easily analyze the specific use of POC.
Vulnerability Trigger:
Due to no official patch, the latest version of STRUTS2 is still vulnerable to download the latest: Apache Struts 2.3.14 ga sample application.
After a simple test, you see the results you want.
According to the official information, the problem is a tag, so write a JSP page with the following: View Source
| 1 |
<s:a includeparams= "All" >click here.</s:a> |
This is the a tag of the STRUTS2 tag library, which displays the current URL on the page and, when Includeparams=all, displays the contents of the specific parameter.
The only thing that needs to be solved is how to make the parameter content as a OGNL, but the fan is too good to guess, and I test the results.
Access URL:
Http://localhost:8080/blank/error.jsp?aaa=${struts2 's Common POC, you know}
Can directly play calculator, POC code everyone has, I only cut a picture:
Almost no analysis process, got the POC, and finally in order to study the patch, forced to study the loophole principle.
Vulnerability principle:
Struts2 the URL tag in the tag library and the includeparams of the A tag represent the meaning of the request access parameter, and once its value is assigned to all or get or POST, the specific request parameter content is displayed. According to the normal demand, the parameter urlencode is enough, the problem is that struts actually did a step more, this ya take the parameters OGNL analysis.
Code: View Source
| 01 |
Package Org.apache.struts2.views.uti.DefaultUrlHelper This class's Parsequerystring method. |
| 02 |
Public map<string, object> parsequerystring (String queryString, Boolean Forcevaluearray) { |
| 03 |
map<string, object> queryparams = new linkedhashmap<string, object> (); |
| 04 |
if (queryString! = null) { |
| 06 |
if (paramname! = null) { |
| 07 |
ParamName = Translateanddecode (paramname); |
| 08 |
String Translatedparamvalue = Translateanddecode (paramvalue); |
| 10 |
Translateanddecode will Call |
| 11 |
private string translatevariable (string input) { |
| 12 |
Valuestack valuestack = Servletactioncontext.getcontext (). Getvaluestack (); |
| 13 |
return textparseutil.translatevariables (input, valuestack); |
Eventually Textparseutil.translatevariables will call Ognl parse execution directly.
Bug fixes:
Please refer to the STRUTS2 Remote Code Execution Vulnerability (S2-013) temporary solution
Note: Now the use of tools have been circulating online, please use temporary solutions to prevent, related article: "Struts s2-013 0day use tool"
link:http://www.inbreak.net/archives/487
The author of the Empty Prodigal heart by the network Security Research and Defense Laboratory (www.91ri.org) Information security team to collect, reproduced please indicate the source.
