来源

关联漏洞

介绍

# CVE-2017-5638
# Apache Struts 2
## Introduction:
Apache Struts 2 is an open source web application framework for developing Java EE Web applications,It is the second generation of the struts framework first released on 10th Oct 2006. Struts Framework is designed in a way that it helps creating Web applications that utilize a MVC architecture.

Apache Struts is widely used framework, In 2017 more than 65 percent of Fortune 100 companies used Apache struts framework. ​



### Useful Links:

[The Framework](https://struts.apache.org/)

[ Vulnerability Details](https://nvd.nist.gov/vuln/detail/cve-2017-5638)

[Apache Struts RCE Explained](https://www.youtube.com/watch?v=Ks46P0Wsi-U)

[Vulnerability Explained](https://www.synopsys.com/blogs/software-security/cve-2017-5638-apache-struts-vulnerability-explained/)




## About Vulnerability: CVE-2017-5638

This vulnerability was first published by NVD on 03/10/2017, It has been given the highest level of Base Score 10 which is Critical. The major factor that pushed for the highest vulnerability score is that applications could be exploited over the network with minimum complexity and high impact on the integrity and the availability.

The vulnerability allowed attacker to execute RCE on the application via introducing  Object Graph Navigation Library (OGNL) expressions into the HTTP headers.

 The Vulnerable versions of the framework are Apache struts-2 version 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1.


## The Exploit


![Attack Process](https://github.com/Tankirat/CVE-2017-5638/blob/main/MicrosoftTeams-image%20(11).png)

The Vulnerable code is in the Jakarta Multipart Parser, to perform an exploit the attacker used the vulnerability in the  LocalizedTextUtil.findText function which interpreted the supplied message within ${…} as an an Object Graph Navigation Library (OGNL) expression. The attack can then use this OGNL expressions which in turn executes system commands and can reveal contents of the sensitive files such as /etc/password,/etc/shadow giving complete control to the attacker.The application further  gave the output from the commands run by the attacker hence facilitating the attacker.

The following image shows the HTTP request with OGNL expression, which allowed attackers to exploit.

![HTTP Request with attack vector](https://github.com/Tankirat/CVE-2017-5638/blob/main/HTTPRequestWithCurl.png)





## Case Study: Equifax
On march 2017, when the vulnerability CVE-2017-5638 was first discovered in the apache struts framework the apache foundation released patch for the vulnerability but Equifax did not apply patch to the Vulnerable system as the scans run to find the vulnerable system didn't work.

From May through July of 2017, the attackers were able to gain access to multiple Equifax databases exposing the information of millions of people. The attack affected 143 million people and also revealed the credit card information of more than 200,000 people.

Attacker were able to continue attacks without being noticed for 76 days.

The company spent $1.4 billion to upgrade its security after the major data breach.


## Prevention

* Frequent Updates

* Updating all the component including framework that are used in application

* Frequent Penetration testing

* Bounty programs to find vulnerabilities



## References:

[Framework Link ](https://struts.apache.org/)

[About Apache Stratus 2, wikipedia](https://en.wikipedia.org/wiki/Apache_Struts_2)

[Vulnerability, NVD](https://nvd.nist.gov/vuln/detail/cve-2017-5638#vulnCurrentDescriptionTitle)

[Vulnerability Explained, Synopsis](https://www.synopsys.com/blogs/software-security/cve-2017-5638-apache-struts-vulnerability-explained/)

[Apache Struts RCE, Youtube](https://www.youtube.com/watch?v=Ks46P0Wsi-U)

[Equifax Case study, csoonline](https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html)

[Scan Vulnerability, Github](https://github.com/mazen160/struts-pwn)

文件快照

 [4.0K]  /data/pocs/34cd951e1e3b3bd5cb0f23e771a5a9508a176ca3
├── [ 53K]  HTTPRequestWithCurl.png
├── [ 12K]  MicrosoftTeams-image (11).png
└── [3.9K]  README.md

0 directories, 3 files

备注