Remote code execution zero day in up-to-date Struts 2 applications:
Several months ago the Struts2 team announced security vulnerability S2-020 that allowed ClassLoader manipulation resulting in Remote Code Execution on certain application servers like Tomcat 8. The fix for this vulnerability was to disallow the use of the following regex in the action parameters:
However, a bypass that basically consists of changing the dot notation with the square bracket notation was made publicly available. Instead of using class.classloader to access the ClassLoader, the bypass used class['classLoader']. We verified the bypass works as expected on our local PoC running the latest Struts version (184.108.40.206), and we were able to pop up an evil calculator on the application server. Please note that it is also possible to bypass the original regex by using Class.classloader (with capital ‘C’).
We notified Struts2 team of the zero day being publicly disclosed and showed them the mitigation we were proposing before writing this blog post. Until the Struts2 team releases the fix, please update your excludeParams regular expression to include the following regex for the opening square bracket and capital 'C' cases:
The easiest way to accomplish this is to modify your struts config file:
<struts> ... ... <package name="default" namespace="/" extends="struts-default"> <interceptors> <interceptor-stack name="secureParamInterceptor"> <interceptor-ref name="defaultStack"> <param name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param> </interceptor-ref> </interceptor-stack> </interceptors> <default-interceptor-ref name="secureParamInterceptor" /> ... ... </package> ... ... </struts>
Struts2 has published an announcement with their own mitigation for the zero day while they come up with a patch. The regular expression in this post has been updated to show the one proposed by the Struts2 team since it is more restrictive.
Update 2 (28/04/14):
Struts2 has released version 220.127.116.11 that addresses this zero day and it also protects the CookieInterceptor. Users are strongly recommended to update to 18.104.22.168.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.