首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>系统安全>文章内容
Struts2/XWork < 2.2.0 Remote Command Execution Vulnerability 临时解决方法
来源:vfocus.net 作者:vfocus 发布时间:2010-07-16  
\u0023这种做为参数名应该出现几率不高
1、给action设置不解析的变量
Java代码 复制代码
  1. <action name="HelloWorld" class="example.HelloWorld">   
  2.         <interceptor-ref name="params">   
  3.                     <param name="excludeParams">.*\\u0023.*</param>   
  4.          </interceptor-ref>   
  5.          <result>/example/HelloWorld.jsp</result>   
  6.  </action>  
 

 

2、设置struts2-core-2.0.xx.jar中struts-default.xml
  
Xml代码 复制代码
  1. <interceptor-stack name="defaultStack">  
  2.         <interceptor-ref name="params">  
  3.         <param name="excludeParams">dojo\..*,.*\\u0023.*</param>  
  4.     </interceptor-ref>    
  5.   
  6. </interceptor-ref>  
       
参考http://struts.apache.org/2.0.14/docs/parameters-interceptor.html


测试方法:
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
Friday, July 9, 2010
CVE-2010-1870: Struts2/XWork remote command execution
Update Tue Jul 13 2010: Added proof of concept
 
Apache Struts team has announced uploaded but has not released, due to an unreasonably prolonged voting process, the 2.2.0 release of the Struts2 web framework which fixes vulnerability that I've reported to them on May 31st 2010. Apache Struts team is ridiculously slow in releasing the fixed version and all of my attempts to expedite the process have failed.
 
Introduction
Struts2 is Struts + WebWork. WebWork in turn uses XWork to invoke actions and call appropriate setters/getters based on HTTP parameter names, which is achieved by treating each HTTP parameter name as an OGNL statement. OGNL (Object Graph Navigation Language) is what turns:
 
user.address.city=Bishkek&user['favoriteDrink']=kumys
 
into
 
action.getUser().getAddress().setCity("Bishkek")
action.getUser().setFavoriteDrink("kumys")
 
This is performed by the ParametersInterceptor, which calls ValueStack.setValue() with user-supplied HTTP parameters as arguments.
NOTE: If you are using XWork's ParametersInterceptor or operate with OGNL ValueStack in a similar way then you are vulnerable (ParametersInterceptor is on by default in struts-default.xml).
 
In addition to property getting/setting, OGNL supports many more features:
 
    * Method calling: foo()
    * Static method calling: @java.lang.System@exit(1)
    * Constructor calling: new MyClass()
    * Ability to work with context variables: #foo = new MyClass()
    * And more...
 
Since HTTP parameter names are OGNL statements, to prevent an attacker from calling arbitrary methods via HTTP parameters XWork has the following two variables guarding methods execution:
 
    * OgnlContext's property 'xwork.MethodAccessor.denyMethodExecution' (set to true by default)
    * SecurityMemberAccess private field called 'allowStaticMethodAccess' (set to false by default)
 
OGNL Context variables
To make it easier for developer to access various frequently needed objects XWork provides several predefined context variables:
 
    * #application
    * #session
    * #request
    * #parameters
    * #attr
 
These variables represent various server-side objects, such as session map. To prevent attackers from tampering with server-side objects XWork's ParametersInterceptor disallowed # in parameter names. About a year ago I found a way to bypass that protection(XW-641) using Java's unicode String representation: \u0023. At the time I felt like the fix that was implemented (OGNL value stack clearing) was insufficient, but had not time to investigate this further.
 
CVE-2010-1870
Earlier this year I finally got a chance to look at this again and found that in addition to the above mentioned context variables there were more:
 
    * #context - OgnlContext, the one guarding method execution based on 'xwork.MethodAccessor.denyMethodExecution' property value.
    * #_memberAccess - SecurityMemberAccess, whose 'allowStaticAccess' field prevented static method execution.
    * #root
    * #this
    * #_typeResolver
    * #_classResolver
    * #_traceEvaluations
    * #_lastEvaluation
    * #_keepLastEvaluation
 
You can probably see the problem already. Using XW-641 trick I was able to modify the values that were guarding Java methods execution and run arbitrary Java code:
 
#_memberAccess['allowStaticMethodAccess'] = true
#foo = new java .lang.Boolean("false")
#context['xwork.MethodAccessor.denyMethodExecution'] = #foo
#rt = @java.lang.Runtime@getRuntime()
#rt.exec('mkdir /tmp/PWNED')
 
Actual proof of concept had to use OGNL's expression evaluation when crafting HTTP request. PoC for this bug will be published on July 12 2010. To test whether your application is vulnerable you can use the following proof of concept, which will call java.lang.Runtime.getRuntime().exit(1):
 
 
http://mydomain/MyStruts.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\u003d@java.lang.Runtime@getRuntime()))=1
 
 
Fixing CVE-2010-1870
Struts2 users must upgrade to the 2.2.0, which whitelists a set of characters that excludes characters required to exploit this vulnerability.
 
 
In cases where upgrade isn't possible you can use ParameterInterceptor's "excludeParams" parameter to whitelist the characters required for your application to operate correctly(usually A-z0-9_.'"[]) alternatively you can blacklist \()@ which are the characters required to exploit this bug.
 
Timeline
May 31st - email to security@struts.apache.org with vulnerability report.
June 4th - no response received, contacted developers again.
June 5th - had to find an XWork developer on IRC to look at this.
June 16th - Atlassian fixes vulnerability in its products. Atlassian and Struts developers worked together in coming up with the fix.
June 20th - 1-line fix commited
June 29th - Struts 2.2.0 release voting process started and is still going...

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·Windows 系统调用功能列表
·windows入侵提权-创建隐藏帐号(
· CC_STACKPROTECTOR防止内核stac
·Linux内核安全研究之Stack Overf
· Exploit The Linux Kernel NULL
·Kernel Locking 中文版
·IA32上Linux内核中断机制分析
·Award BIOS Rootkit,universal
·PHP代码审计
·N种内核注入DLL的思路及实现
·glibc 2.3.5 的一些新安全特性
·AIX 内核的文件操作流程
  相关文章
· Exploit The Linux Kernel NULL
·高级脚本“小马”的后门发现之旅
·php通用防注入程序
·windows溢出保护原理与绕过方法
·UNIX应急响应攻略
·高级日志处理:如何处理犯罪记录
·windows堆溢出利用方式总结
·分析DLL劫持攻击
·HOWTO: 在本地配置名字服务器并
·php扫马、内网查mysql数据库账号
·法庭现场分析存留的Linux 系统
·Linux内核安全研究之Stack Overf
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved