Struts2 zero day in the wild

Remote code execution zero day in up-to-date Struts 2 applications:

 

Several months ago the Struts2 team announced security vulnerability S2-020 that allowed ClassLoader manipulation resulting in Remote Code Execution on certain application servers like Tomcat 8. The fix for this vulnerability was to disallow the use of the following regex in the action parameters:

 

(.*\.|^)class\..*

 

However, a bypass that basically consists of changing the dot notation with the square bracket notation was made publicly available. Instead of using class.classloader  to access the ClassLoader, the bypass used class['classLoader']. We verified the bypass works as expected on our local PoC running the latest Struts version (2.3.16.1), and we were able to pop up an evil calculator on the application server. Please note that it is also possible to bypass the original regex by using Class.classloader (with capital ‘C’).

 

Remediation:

 

We notified Struts2 team of the zero day being publicly disclosed and showed them the mitigation we were proposing before writing this blog post. Until the Struts2 team releases the fix, please update your excludeParams regular expression to include the following regex for the opening square bracket and capital 'C' cases:

 

(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*

 

The easiest way to accomplish this is to modify your struts config file:

 

<struts>
...
...
    <package name="default" namespace="/" extends="struts-default">
        <interceptors>
            <interceptor-stack name="secureParamInterceptor">
                <interceptor-ref name="defaultStack">
                    <param name="params.excludeParams">(.*\.|^|.*|\[('|"))(c|C)lass(\.|('|")]|\[).*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
                </interceptor-ref>
            </interceptor-stack>
        </interceptors>

        <default-interceptor-ref name="secureParamInterceptor" />
        ...
        ...
    </package>
...
...
</struts>

 

Update (25/04/14):

 

Struts2 has published an announcement with their own mitigation for the zero day while they come up with a patch. The regular expression in this post has been updated to show the one proposed by the Struts2 team since it is more restrictive.

 

Update 2 (28/04/14):

 

Struts2 has released version 2.3.16.2 that addresses this zero day and it also protects the CookieInterceptor. Users are strongly recommended to update to 2.3.16.2.

 

Stay secure!

 

Tags: 0day| Struts2
Labels: 0day| Struts2
Comments
JohnHan(anon) | ‎04-27-2014 01:53 PM

Thanks for your alert.

Struts team indicates that this vulnerability can be exploited throw cookie's parameters.

Could you please confirm that the regex described patch all the vulnerability ?

 

Thank you

alvaro_munoz | ‎04-28-2014 01:59 AM

Hi John,

 

Thanks for your comment.

 

As specified in the S-021 advisory:

 

It isn't possible to do the same with CookieInterceptor, so don't use wildcard mapping to accept cookie names or implement your own version of CookieInterceptor based on code provided in Struts 2.3.16.2.

 

So please update to Struts 2.3.16.2 as soon as possible to fully protect the CookieInterceptor.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation