Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE

Struts2 zero day in the wild

alvaro_munoz Trusted Contributor.
Trusted Contributor.
0 2 13.1K

Remote code execution zero day in up-to-date Struts 2 applications:

 

Several months ago the Struts2 team announced security vulnerability S2-020 that allowed ClassLoader manipulation resulting in Remote Code Execution on certain application servers like Tomcat 8. The fix for this vulnerability was to disallow the use of the following regex in the action parameters:

 

(.*\.|^)class\..*

 

However, a bypass that basically consists of changing the dot notation with the square bracket notation was made publicly available. Instead of using class.classloader  to access the ClassLoader, the bypass used class['classLoader']. We verified the bypass works as expected on our local PoC running the latest Struts version (2.3.16.1), and we were able to pop up an evil calculator on the application server. Please note that it is also possible to bypass the original regex by using Class.classloader (with capital ‘C’).

 

Remediation:

 

We notified Struts2 team of the zero day being publicly disclosed and showed them the mitigation we were proposing before writing this blog post. Until the Struts2 team releases the fix, please update your excludeParams regular expression to include the following regex for the opening square bracket and capital 'C' cases:

 

(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*

 

The easiest way to accomplish this is to modify your struts config file:

 

<struts>
...
...
    <package name="default" namespace="/" extends="struts-default">
        <interceptors>
            <interceptor-stack name="secureParamInterceptor">
                <interceptor-ref name="defaultStack">
                    <param name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
                </interceptor-ref>
            </interceptor-stack>
        </interceptors>

        <default-interceptor-ref name="secureParamInterceptor" />
        ...
        ...
    </package>
...
...
</struts>

 

Update (25/04/14):

 

Struts2 has published an announcement with their own mitigation for the zero day while they come up with a patch. The regular expression in this post has been updated to show the one proposed by the Struts2 team since it is more restrictive.

 

Update 2 (28/04/14):

 

Struts2 has released version 2.3.16.2 that addresses this zero day and it also protects the CookieInterceptor. Users are strongly recommended to update to 2.3.16.2.

 

Stay secure!

 

Tags (2)
2 Comments
Not applicable

Thanks for your alert.

Struts team indicates that this vulnerability can be exploited throw cookie's parameters.

Could you please confirm that the regex described patch all the vulnerability ?

 

Thank you

alvaro_munoz Trusted Contributor.
Trusted Contributor.

Hi John,

 

Thanks for your comment.

 

As specified in the S-021 advisory:

 

It isn't possible to do the same with CookieInterceptor, so don't use wildcard mapping to accept cookie names or implement your own version of CookieInterceptor based on code provided in Struts 2.3.16.2.

 

So please update to Struts 2.3.16.2 as soon as possible to fully protect the CookieInterceptor.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.