Main Content

Heya - HollyGraceful here, I make all of this content in my spare time, like it? Please support me :)
You can donate via Bitcoin or Patreon!

A Vulnerability in Apache Struts

CVE-2014-0094 and CVE-2014-0050

Struts is an extensible framework used for creating enterprise Java Web Applications.

In Struts 1.x there is a problem related to how the ActionForm bean population machanism works, whereas in Struts 2.x there is an issue in how ParametersInterceptor allows access to the ‘class’ parameter that is directly mapped to the getClass() method and allows ClassLoader manipulation. Long story short, this can allow attackers to execute arbitrary Java code remotely.

This issue was believed fixed in March 2014 (Apache Struts Security Bulletin S20-020), however on April 24, 2014, the Apache Software Foundation released an announcement warning that the original issued patch for the vulnerability in Apache Struts up to version 2.3.16.1, did not fully patch the vulnerability.

Affected

Apache Struts <= 1.3.10 and 2.0.0 – 2.3.16.1

Proof-of-Concept

One way to manually discover this vulnerability is to attempt to cause a strong class error in the parser, this should not cause any harm to the server but should prove the existence of this issue, by showing a 500 error. The following payloads can be supplied to GET and POST parameters:

 

Tomcat 7: “Class[‘classLoader’][‘resources’][‘dirContext’][‘cacheTTL’]=foo”
Tomcat 8: “Class[‘classLoader’][‘resources’][‘cacheObjectMaxSize’]=foo”

Alternatively, the following payload will have a similar effect:

Tomcat 7: “Class[‘classLoader’][‘resources’][‘cacheObjectMaxSize’]=foo”
Tomcat 8: “Class[‘classLoader’][‘resources’][‘context’][‘effectiveMajorVersion’]=foo”

 

Further Reading

http://struts.apache.org/release/2.3.x/docs/s2-020.html
http://struts.apache.org/announce.html#a20140424