`
奔跑的羚羊
  • 浏览: 576996 次
  • 性别: Icon_minigender_1
  • 来自: 北京
社区版块
存档分类
最新评论

Struts2/XWork < 2.2.0 Remote Command Execution Vulnerability 临时解决方法

    博客分类:
  • java
阅读更多
\u0023这种做为参数名应该出现几率不高
1、给action设置不解析的变量
<action name="HelloWorld" class="example.HelloWorld">
        <interceptor-ref name="params">
                    <param name="excludeParams">.*\\u0023.*</param>
         </interceptor-ref>
         <result>/example/HelloWorld.jsp</result>
 </action>
 

 

2、设置struts2-core-2.0.xx.jar中struts-default.xml
  
<interceptor-stack name="defaultStack">
        <interceptor-ref name="params">
		<param name="excludeParams">dojo\..*,.*\\u0023.*</param>
	</interceptor-ref> 

</interceptor-ref>
       
参考http://struts.apache.org/2.0.14/docs/parameters-interceptor.html


测试方法:
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
Friday, July 9, 2010
CVE-2010-1870: Struts2/XWork remote command execution
Update Tue Jul 13 2010: Added proof of concept
 
Apache Struts team has announced uploaded but has not released, due to an unreasonably prolonged voting process, the 2.2.0 release of the Struts2 web framework which fixes vulnerability that I've reported to them on May 31st 2010. Apache Struts team is ridiculously slow in releasing the fixed version and all of my attempts to expedite the process have failed.
 
Introduction
Struts2 is Struts + WebWork. WebWork in turn uses XWork to invoke actions and call appropriate setters/getters based on HTTP parameter names, which is achieved by treating each HTTP parameter name as an OGNL statement. OGNL (Object Graph Navigation Language) is what turns:
 
user.address.city=Bishkek&user['favoriteDrink']=kumys
 
into
 
action.getUser().getAddress().setCity("Bishkek")
action.getUser().setFavoriteDrink("kumys")
 
This is performed by the ParametersInterceptor, which calls ValueStack.setValue() with user-supplied HTTP parameters as arguments.
NOTE: If you are using XWork's ParametersInterceptor or operate with OGNL ValueStack in a similar way then you are vulnerable (ParametersInterceptor is on by default in struts-default.xml).
 
In addition to property getting/setting, OGNL supports many more features:
 
    * Method calling: foo()
    * Static method calling: @java.lang.System@exit(1)
    * Constructor calling: new MyClass()
    * Ability to work with context variables: #foo = new MyClass()
    * And more...
 
Since HTTP parameter names are OGNL statements, to prevent an attacker from calling arbitrary methods via HTTP parameters XWork has the following two variables guarding methods execution:
 
    * OgnlContext's property 'xwork.MethodAccessor.denyMethodExecution' (set to true by default)
    * SecurityMemberAccess private field called 'allowStaticMethodAccess' (set to false by default)
 
OGNL Context variables
To make it easier for developer to access various frequently needed objects XWork provides several predefined context variables:
 
    * #application
    * #session
    * #request
    * #parameters
    * #attr
 
These variables represent various server-side objects, such as session map. To prevent attackers from tampering with server-side objects XWork's ParametersInterceptor disallowed # in parameter names. About a year ago I found a way to bypass that protection(XW-641) using Java's unicode String representation: \u0023. At the time I felt like the fix that was implemented (OGNL value stack clearing) was insufficient, but had not time to investigate this further.
 
CVE-2010-1870
Earlier this year I finally got a chance to look at this again and found that in addition to the above mentioned context variables there were more:
 
    * #context - OgnlContext, the one guarding method execution based on 'xwork.MethodAccessor.denyMethodExecution' property value.
    * #_memberAccess - SecurityMemberAccess, whose 'allowStaticAccess' field prevented static method execution.
    * #root
    * #this
    * #_typeResolver
    * #_classResolver
    * #_traceEvaluations
    * #_lastEvaluation
    * #_keepLastEvaluation
 
You can probably see the problem already. Using XW-641 trick I was able to modify the values that were guarding Java methods execution and run arbitrary Java code:
 
#_memberAccess['allowStaticMethodAccess'] = true
#foo = new java .lang.Boolean("false")
#context['xwork.MethodAccessor.denyMethodExecution'] = #foo
#rt = @java.lang.Runtime@getRuntime()
#rt.exec('mkdir /tmp/PWNED')
 
Actual proof of concept had to use OGNL's expression evaluation when crafting HTTP request. PoC for this bug will be published on July 12 2010. To test whether your application is vulnerable you can use the following proof of concept, which will call java.lang.Runtime.getRuntime().exit(1):
 
 
http://mydomain/MyStruts.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\u003d@java.lang.Runtime@getRuntime()))=1
 
 
Fixing CVE-2010-1870
Struts2 users must upgrade to the 2.2.0, which whitelists a set of characters that excludes characters required to exploit this vulnerability.
 
 
In cases where upgrade isn't possible you can use ParameterInterceptor's "excludeParams" parameter to whitelist the characters required for your application to operate correctly(usually A-z0-9_.'"[]) alternatively you can blacklist \()@ which are the characters required to exploit this bug.
 
Timeline
May 31st - email to security@struts.apache.org with vulnerability report.
June 4th - no response received, contacted developers again.
June 5th - had to find an XWork developer on IRC to look at this.
June 16th - Atlassian fixes vulnerability in its products. Atlassian and Struts developers worked together in coming up with the fix.
June 20th - 1-line fix commited
June 29th - Struts 2.2.0 release voting process started and is still going...
分享到:
评论
1 楼 lydawen 2010-07-26  
哈,这个发布这么久了居然才发现。看来绝大部分使用s2的都有这问题了

相关推荐

    struts框架搭建

    ### Struts2框架搭建及配置详解 #### 一、Struts2框架简介 Struts2是Struts的一个改进版本,它结合了WebWork框架和Struts框架的优点,并且增加了许多新特性,使得开发者能够更加方便地开发Java Web应用程序。...

    Struts2中使用标签实现组合查询和带分页的例子

    在Struts2框架中,`&lt;sx:&gt;`标签是Struts2 XWork库的一部分,用于增强JSP页面的功能,提供更强大的数据绑定和表单处理能力。本篇将重点讲解如何利用`sx:`标签实现组合查询和带分页功能。 首先,让我们了解下Struts2的...

    struts2下的Xwork2源文件

    struts2下的Xwork2源文件 在 opensymphony开源社区http://www.opensymphony.com/ 可匿名使用SVN checkout xwork2的源代码 http://svn.opensymphony.com/svn/xwork/trunk

    论坛系统(Struts 2+Hibernate+Spring实现)

    论坛系统(Struts 2+Hibernate+Spring实现)&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE validators SYSTEM ...

    struts2之xwork

    而XWork是Struts2的核心组件,它负责处理Action的业务逻辑和控制流程。在深入理解Struts2与XWork的关系之前,我们首先需要了解MVC模式的基本概念。 MVC模式是一种软件设计模式,它将应用程序分为三个主要部分:模型...

    Struts2.2.3 + xwork半中文帮助文档

    Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档

    struts2_xwork2下载

    根据提供的文件信息,我们可以深入探讨Struts2与XWork2的相关知识点,特别是关于它们的下载、功能特性以及在实际项目中的应用。 ### Struts2框架简介 Apache Struts2是基于MVC(Model-View-Controller)设计模式的...

    Struts2配置详解

    ### Struts2配置详解 #### 一、总览 在深入了解Struts2配置文件之前,我们首先需要了解其整体架构。Struts2的核心配置文件通常采用XML格式,并且具有非常清晰的结构。此配置文件主要负责定义应用的行为、组件以及...

    简单的struts2小程序

    Struts2是一个强大的Java web开发框架,它基于MVC(Model-View-Controller)设计模式,为开发者提供了构建可维护性、可扩展性良好的应用程序的工具和机制。在这个"简单的Struts2小程序"中,我们可以深入理解Struts2...

    Struts2中xwork源码

    通过深入学习XWork的源码,开发者能够理解Struts2框架的工作原理,优化性能,解决实际开发中的问题,同时也能为自定义插件和扩展提供基础。理解XWork的设计模式和核心机制,将有助于提升开发效率和代码质量,使项目...

    基于struts2的hello world输出

    其他依赖如`struts2-core-2.3.14.jar`,`xwork-core-2.3.14.jar`等,都是Struts2框架的核心组件,它们提供了动作调度、拦截器、类型转换、结果类型等核心功能。`javassist-3.11.0.GA.jar`用于动态类生成,`ognl-...

    struts2xwork2帮助文档

    Struts2和XWork2是两个非常重要的Java Web框架,它们在开发企业级应用程序时扮演着核心角色。Struts2是基于MVC(Model-View-Controller)设计模式的开源框架,而XWork2则是其底层的核心工作引擎,负责处理Action、...

    Struts2.2.3 Xwork帮助文档

    4. **集成性**:Struts2可以很好地与Spring、Hibernate等其他流行框架集成,提供一站式的解决方案。 **Xwork** 则是Struts2的基础,它处理了Action的生命周期和执行流程。Xwork的主要功能包括: 1. **Action管理**...

    struts2.0 整合tiles 配置

    4. **struts2-tiles-plugin-2.0.6.jar**:Struts2 Tiles插件。 5. **struts2-core-2.0.6.jar**:Struts2核心库。 6. **xwork-2.0.1.jar**:XWork核心库,用于处理用户请求。 #### 三、配置web.xml 接下来,在项目的...

    Struts2 2.3.16xwork_doc

    XWork是Struts2的核心,它提供了一系列的工具和功能,使得开发者能够更高效地处理请求、控制业务流程以及管理应用状态。2.3.16是Struts2的一个稳定版本,包含了许多修复和改进。 XWork Doc文档集是关于Struts2 ...

    struts-2.3.4.1所需的jar文件

    &lt;filter-name&gt;struts2&lt;/filter-name&gt; &lt;filter-class&gt; org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter &lt;/filter-class&gt; &lt;/filter&gt; &lt;filter-mapping&gt; &lt;filter-name&gt;struts2&lt;/filter-...

    【原创】Struts2防止表单重复提交.doc

    Struts2框架提供了一种简单有效的方式来解决这一问题,即通过`&lt;s:token/&gt;`标签和相关的拦截器机制来实现。 #### 二、Struts2框架简介 Struts2是一个基于Java的开源Web应用框架,它继承了Struts1的优点,并且进行了...

    struts2基础知识

    Struts2 基础知识 Struts2 是一个基于 MVC 模式的 Java Web 应用程序框架,主要...这个配置文件告诉 Struts2 框架,这个类是一个 Action,将来 Struts2 框架中要给这个类创建对象,调用方法以及加入更多丰富的功能。

    struts2 xwork2 源码

    Struts2和XWork2是两个非常重要的Java Web框架,它们在开发企业级应用程序时起着核心作用。Struts2是基于MVC(Model-View-Controller)设计模式的开源框架,而XWork2则是其底层工作框架,负责处理Action和业务逻辑。...

Global site tag (gtag.js) - Google Analytics