Remote Code Execution Vulnerability in Struts 2(S2-052)
- Source:SANGFOR Security Center
- Date Published:2017-09-08
Apache released a security bulletin(S2-052) addressing a security vulnerability(CVE-2017-9805) in Struts 2. The bulletin says that a remote code execution(RCE) attack is possible when using the Struts REST plugin with XStream handler to deserialize XML requests. Attackers can take advantage of this vulnerability to perform such operations as adding or deleting user accounts, viewing, modifying or deleting files, inserting backdoor, etc.
Affected Versions: Struts 2.5 - 2.5.12
DEFINITION FROM ENCYCLOPEDIA
Apache Struts 2 is one of the most popular MVC-based JAVA Web server frameworks in the world. In effect, it is equivalent to Servlet and functions as a controller to establish data interaction between model and views.
A RCE attack is possible when using the Struts REST plugin with XStream handler to deserialize XML requests.
As of date of the publishment of this article, several PoC(Proof of Concept) exploits of the vulnerability are available on the Internet. One of the PoC exploits is as shown below:
Construct an environment similar to Struts 2.5.12, visit http://x.x.x.x:8080/struts2-rest-showcase, and implant PoC in Request. Calc.exe command will be executed successfully, as shown below:
1 Upgrade the affected versions to Struts 2.5.13, as the vulnerability has been fixed in the latest version of Struts 2.
2 Disable Struts REST plugin (do not enable this plugin unless necessary), add the following code into the config file to restrict file extension at the server side:
3 If Sangfor NGAF appliance has been deployed in your network, update vulnerability database to the version 20170906 or later version to defend against this vulnerability.