`
r00t
  • 浏览: 829 次
  • 性别: Icon_minigender_1
  • 来自: 没有
最近访客 更多访客>>
文章分类
社区版块
存档分类
最新评论

Struts2/XWork < 2.2.0 Remote Command Execution Vulnerability

阅读更多
发布时间:2010-07-14
测试方法:[www.sebug.net]本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
Friday, July 9, 2010
CVE-2010-1870: Struts2/XWork remote command execution
Update Tue Jul 13 2010: Added proof of concept

Apache Struts team has announced uploaded but has not released, due to an unreasonably prolonged voting process, the 2.2.0 release of the Struts2 web framework which fixes vulnerability that I've reported to them on May 31st 2010. Apache Struts team is ridiculously slow in releasing the fixed version and all of my attempts to expedite the process have failed.

Introduction
Struts2 is Struts + WebWork. WebWork in turn uses XWork to invoke actions and call appropriate setters/getters based on HTTP parameter names, which is achieved by treating each HTTP parameter name as an OGNL statement. OGNL (Object Graph Navigation Language) is what turns:

user.address.city=Bishkek&user['favoriteDrink']=kumys

into

action.getUser().getAddress().setCity("Bishkek")
action.getUser().setFavoriteDrink("kumys")

This is performed by the ParametersInterceptor, which calls ValueStack.setValue() with user-supplied HTTP parameters as arguments.
NOTE: If you are using XWork's ParametersInterceptor or operate with OGNL ValueStack in a similar way then you are vulnerable (ParametersInterceptor is on by default in struts-default.xml).

In addition to property getting/setting, OGNL supports many more features:

    * Method calling: foo()
    * Static method calling: @java.lang.System@exit(1)
    * Constructor calling: new MyClass()
    * Ability to work with context variables: #foo = new MyClass()
    * And more...

Since HTTP parameter names are OGNL statements, to prevent an attacker from calling arbitrary methods via HTTP parameters XWork has the following two variables guarding methods execution:

    * OgnlContext's property 'xwork.MethodAccessor.denyMethodExecution' (set to true by default)
    * SecurityMemberAccess private field called 'allowStaticMethodAccess' (set to false by default)

OGNL Context variables
To make it easier for developer to access various frequently needed objects XWork provides several predefined context variables:

    * #application
    * #session
    * #request
    * #parameters
    * #attr

These variables represent various server-side objects, such as session map. To prevent attackers from tampering with server-side objects XWork's ParametersInterceptor disallowed # in parameter names. About a year ago I found a way to bypass that protection(XW-641) using Java's unicode String representation: \u0023. At the time I felt like the fix that was implemented (OGNL value stack clearing) was insufficient, but had not time to investigate this further.

CVE-2010-1870
Earlier this year I finally got a chance to look at this again and found that in addition to the above mentioned context variables there were more:

    * #context - OgnlContext, the one guarding method execution based on 'xwork.MethodAccessor.denyMethodExecution' property value.
    * #_memberAccess - SecurityMemberAccess, whose 'allowStaticAccess' field prevented static method execution.
    * #root
    * #this
    * #_typeResolver
    * #_classResolver
    * #_traceEvaluations
    * #_lastEvaluation
    * #_keepLastEvaluation

You can probably see the problem already. Using XW-641 trick I was able to modify the values that were guarding Java methods execution and run arbitrary Java code:

#_memberAccess['allowStaticMethodAccess'] = true
#foo = new java .lang.Boolean("false")
#context['xwork.MethodAccessor.denyMethodExecution'] = #foo
#rt = @java.lang.Runtime@getRuntime()
#rt.exec('mkdir /tmp/PWNED')

Actual proof of concept had to use OGNL's expression evaluation when crafting HTTP request. PoC for this bug will be published on July 12 2010. To test whether your application is vulnerable you can use the following proof of concept, which will call java.lang.Runtime.getRuntime().exit(1):


http://mydomain/MyStruts.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.den
yMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\u003d@java.lang.Runtime@getRunti
me()))=1


Fixing CVE-2010-1870
Struts2 users must upgrade to the 2.2.0, which whitelists a set of characters that excludes characters required to exploit this vulnerability.


In cases where upgrade isn't possible you can use ParameterInterceptor's "excludeParams" parameter to whitelist the characters required for your application to operate correctly(usually A-z0-9_.'"[]) alternatively you can blacklist \()@ which are the characters required to exploit this bug.

Timeline
May 31st - email to security@struts.apache.org with vulnerability report.
June 4th - no response received, contacted developers again.
June 5th - had to find an XWork developer on IRC to look at this.
June 16th - Atlassian fixes vulnerability in its products. Atlassian and Struts developers worked together in coming up with the fix.
June 20th - 1-line fix commited
June 29th - Struts 2.2.0 release voting process started and is still going...
// sebug.net [2010-07-15]

From http://sebug.net/exploit/19954/
分享到:
评论

相关推荐

    struts框架搭建

    ### Struts2框架搭建及配置详解 #### 一、Struts2框架简介 Struts2是Struts的一个改进版本,它结合了WebWork框架和Struts框架的优点,并且增加了许多新特性,使得开发者能够更加方便地开发Java Web应用程序。...

    Struts2中使用标签实现组合查询和带分页的例子

    在Struts2框架中,`&lt;sx:&gt;`标签是Struts2 XWork库的一部分,用于增强JSP页面的功能,提供更强大的数据绑定和表单处理能力。本篇将重点讲解如何利用`sx:`标签实现组合查询和带分页功能。 首先,让我们了解下Struts2的...

    struts2下的Xwork2源文件

    struts2下的Xwork2源文件 在 opensymphony开源社区http://www.opensymphony.com/ 可匿名使用SVN checkout xwork2的源代码 http://svn.opensymphony.com/svn/xwork/trunk

    论坛系统(Struts 2+Hibernate+Spring实现)

    论坛系统(Struts 2+Hibernate+Spring实现)&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE validators SYSTEM ...

    Struts2.2.3 + xwork半中文帮助文档

    Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档

    Struts2配置详解

    &lt;bean type="com.opensymphony.xwork2.ObjectFactory" name="struts" class="org.apache.struts2.impl.StrutsObjectFactory"/&gt; &lt;bean type=...

    简单的struts2小程序

    Struts2是一个强大的Java web开发框架,它基于MVC(Model-View-Controller)设计模式,为开发者提供了构建可维护性、可扩展性良好的应用程序的工具和机制。在这个"简单的Struts2小程序"中,我们可以深入理解Struts2...

    struts2之xwork

    而XWork是Struts2的核心组件,它负责处理Action的业务逻辑和控制流程。在深入理解Struts2与XWork的关系之前,我们首先需要了解MVC模式的基本概念。 MVC模式是一种软件设计模式,它将应用程序分为三个主要部分:模型...

    struts2_xwork2下载

    根据提供的文件信息,我们可以深入探讨Struts2与XWork2的相关知识点,特别是关于它们的下载、功能特性以及在实际项目中的应用。 ### Struts2框架简介 Apache Struts2是基于MVC(Model-View-Controller)设计模式的...

    基于struts2的hello world输出

    其他依赖如`struts2-core-2.3.14.jar`,`xwork-core-2.3.14.jar`等,都是Struts2框架的核心组件,它们提供了动作调度、拦截器、类型转换、结果类型等核心功能。`javassist-3.11.0.GA.jar`用于动态类生成,`ognl-...

    Struts2中xwork源码

    XWork是Struts2的核心组件,负责处理请求、动作调度、数据绑定以及异常处理等核心功能。本文将深入探讨XWork的源码,解析其设计理念和关键实现,帮助开发者更好地理解和使用Struts2。 1. **ActionInvocation**:...

    struts2.0 整合tiles 配置

    4. **struts2-tiles-plugin-2.0.6.jar**:Struts2 Tiles插件。 5. **struts2-core-2.0.6.jar**:Struts2核心库。 6. **xwork-2.0.1.jar**:XWork核心库,用于处理用户请求。 #### 三、配置web.xml 接下来,在项目的...

    【原创】Struts2防止表单重复提交.doc

    Struts2框架提供了一种简单有效的方式来解决这一问题,即通过`&lt;s:token/&gt;`标签和相关的拦截器机制来实现。 #### 二、Struts2框架简介 Struts2是一个基于Java的开源Web应用框架,它继承了Struts1的优点,并且进行了...

    struts-2.3.4.1所需的jar文件

    &lt;filter-name&gt;struts2&lt;/filter-name&gt; &lt;filter-class&gt; org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter &lt;/filter-class&gt; &lt;/filter&gt; &lt;filter-mapping&gt; &lt;filter-name&gt;struts2&lt;/filter-...

    struts2基础知识

    &lt;filter-class&gt;org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter&lt;/filter-class&gt; &lt;/filter&gt; &lt;filter-mapping&gt; &lt;filter-name&gt;struts2&lt;/filter-name&gt; &lt;url-pattern&gt;/*&lt;/url-pattern&gt; &lt;/...

    Struts2.2.3 Xwork帮助文档

    Struts2是基于Model-View-Controller(MVC)设计模式的开源框架,而Xwork是它的一个核心组件,负责处理Action和业务逻辑。 **Struts2** 是一个强大的MVC框架,它的出现是为了改进原先的Struts1框架,提供了更灵活、...

    Struts2 2.3.16xwork_doc

    XWork是Struts2的核心,它提供了一系列的工具和功能,使得开发者能够更高效地处理请求、控制业务流程以及管理应用状态。2.3.16是Struts2的一个稳定版本,包含了许多修复和改进。 XWork Doc文档集是关于Struts2 ...

    struts2xwork2帮助文档

    Struts2和XWork2是两个非常重要的Java Web框架,它们在开发企业级应用程序时扮演着核心角色。Struts2是基于MVC(Model-View-Controller)设计模式的开源框架,而XWork2则是其底层的核心工作引擎,负责处理Action、...

    Struts2官方例子3--Action的编写

    Struts2是一个强大的MVC(Model-View-Controller)框架,广泛应用于Java Web开发中。在Struts2中,Action是核心组件,负责处理用户的请求并进行业务逻辑处理。本教程将深入讲解如何在Ant环境下编写Struts2的Action。...

Global site tag (gtag.js) - Google Analytics