Our vBulletin migration is complete.
Welcome vBulletin users! All content and user information from the Micro Focus Forums (vBulletin) site has been migrated to this site. READ MORE.

Struts2-046: A new vector

alvaro_munoz Trusted Contributor.
Trusted Contributor.
0 0 29.2K

Last week a new Remote Code Execution (RCE) vulnerability affecting Struts2 was published. We already blogged about it so we will not get into the details of how Struts2 was vulnerable via the Content-Type header. Today's blog will focus on how important it is to analyze and understand bugs when they are made public. In this case, we wanted to verify that Fortify SCA was able to detect this vulnerability when scanning the involved source code (Struts2 + Apache Commons-FileUpload) but we were surprised to find out that in addition to the known attack vector via the Content-Type header, SCA also reported a different dataflow originating from the file name in the multipart request. The analysis evidence trace looks like this:

Picture1.pngReading through the code it was clear that it was a true positive that could be triggered if the following requirements were met:

  • JakartaStreamMultipartRequest is used. This requirement implies that the Struts2 application needs to be configured to use the Jakarta stream parser which is not the default one.  Check for the following configuration in your Struts2 configuration files:  <constant name="struts.multipart.parser" value="jakarta-stream" />
  • The size of the uploaded file, as stated by the Content-Length header, is bigger than Struts2 maximum allowed size (2GB).
  • The file name contains an OGNL payload.

If these requirements are met, Struts2 vulnerable versions would craft an exception containing the attacker-controlled file name and then proceed to localize the error message using the OGNL value stack which will interpolate any OGNL variables (${} or %{}) evaluating them as OGNL expressions.

A malicious request could look like the following:

POST /doUpload.action HTTP/1.1

Host: localhost:8080

Content-Length: 10000000

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAnmUgTEhFhOZpr9z

Connection: close

 

------WebKitFormBoundaryAnmUgTEhFhOZpr9z

Content-Disposition: form-data; name="upload"; filename="%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test','Kaboom')}"

Content-Type: text/plain

Kaboom 

------WebKitFormBoundaryAnmUgTEhFhOZpr9z--

The issue was reported to Struts2 team, which published a new security bulletin (S2-046) which details the affected versions, patches, and workarounds for additional vectors. Note that existing patches for 2.3.x and 2.5.x branches, released as a fix for S2-045 also protect against this vulnerability. If for any reasons, it is not possible for you to upgrade to secure versions (2.3.32 or 2.5.10.1), a new plugin has been developed by the Struts2 team as a drop-in solution.

Please review any temporary workarounds you may have put in place as Servlet filters, WAF rules, and the like, and make sure they account for all the attack vectors: Content-Type and Content-Disposition.

Stay secure!

 

 

 

 

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.