Struts 2 Remote Code Execution Vulnerability (S2-057)

24/08/2018 11:50:08
Apache Wiki recently exposed CVE-2018-11776, a new high-risk remote code execution vulnerability in Struts 2.

What is Apache Struts 2?

Apache Struts 2 is one of the most popular open-source web application frameworks used to develop Java EE web applications. At the core of Struts 2 is WebWork which intercepts user requests and functions as a controller to establish data interaction between model and views. It uses and extends the Java Servlet API to encourage developers to adopt a MVC architecture.

Summary

If the value of namespace is not specified when struts-actionchaining.xml is configured and upper action(s) have no namespace or wildcard namespace, remote code execution may occur.
Likewise, if values and actions are not specified when struts-actionchaining.xml is configured and upper action(s) have no namespace wildcard namespace, remote code execution may occur.
Globally, there are over 6,343 Struts 2-based assets available on the Internet.

Vulnerability Reproduction

This introduction above may be a little overly-technical. To offer you an intuitive view of the vulnerability and attack process we have reproduced the vulnerability below.

Prerequisites:
Version of Struts 2 is between 2.3 and 2.3.34 or between 2.5 and 2.5.16.
Struts-actionchaining.xml is not configured with value of namespace but redirection is configured

We did the following test in a Struts 2 environment with this vulnerability:



The vulnerability may be exploited by constructing an OGNL expression in URL with attributes of name in action tag and ending with action, as shown below:



The OGNL expression is executed after the address is visited, as shown below:



Affected Versions

•    Struts 2.3 - Struts 2.3.34
•    Struts 2.5 - Struts 2.5.16
•    Other unsupported Struts versions.

Remediation Solution

Download or upgrade to the latest Apache patched version (2.3.35 or 2.5.17) by connecting to: http://archive.apache.org/dist/struts/
This is a temporary weak workaround that verifies namespace in all XML configurations if upper action(s) have no namespace or wildcard namespace set and verifies in JSP the value and action in all URL tags.
Link: Apache Wiki https://cwiki.apache.org/confluence/display/WW/S2-057

Sangfor’s Solution

Sangfor NGAF 8.0.5 integrates a Next Generation WAF engine, which uses systematic analysis approach which can detect all Struts 2 v ulnerabilities and future variants if the WAF policy is enabled properly.
For Sangfor NGAF customers with version older than 8.0.5, please make sure your WAF signature database is above 20171008, and WAF policy in enabled properly.


Our Social Networks

Global Service Center:

COPYRIGHT © 2000-2018 SANGFOR TECHNOLOGIES INC. ALL RIGHTS RESERVED.