Tag Archives: Web Application Security

A Vulnerability in Apache Struts

CVE-2014-0094 and CVE-2014-0050

Struts is an extensible framework used for creating enterprise Java Web Applications.

In Struts 1.x there is a problem related to how the ActionForm bean population machanism works, whereas in Struts 2.x there is an issue in how ParametersInterceptor allows access to the ‘class’ parameter that is directly mapped to the getClass() method and allows ClassLoader manipulation. Long story short, this can allow attackers to execute arbitrary Java code remotely.

This issue was believed fixed in March 2014 (Apache Struts Security Bulletin S20-020), however on April 24, 2014, the Apache Software Foundation released an announcement warning that the original issued patch for the vulnerability in Apache Struts up to version 2.3.16.1, did not fully patch the vulnerability.

Affected

Apache Struts <= 1.3.10 and 2.0.0 – 2.3.16.1

Proof-of-Concept

One way to manually discover this vulnerability is to attempt to cause a strong class error in the parser, this should not cause any harm to the server but should prove the existence of this issue, by showing a 500 error. The following payloads can be supplied to GET and POST parameters:

 

Tomcat 7: “Class[‘classLoader’][‘resources’][‘dirContext’][‘cacheTTL’]=foo”
Tomcat 8: “Class[‘classLoader’][‘resources’][‘cacheObjectMaxSize’]=foo”

Alternatively, the following payload will have a similar effect:

Tomcat 7: “Class[‘classLoader’][‘resources’][‘cacheObjectMaxSize’]=foo”
Tomcat 8: “Class[‘classLoader’][‘resources’][‘context’][‘effectiveMajorVersion’]=foo”

 

Further Reading

http://struts.apache.org/release/2.3.x/docs/s2-020.html
http://struts.apache.org/announce.html#a20140424

 

CRIME against TLS?

Compression Ratio Info-leak Made Easy

CRIME is an attack against SSL, like Heartbleed, but it has a much smaller probability of exploitation. The authors of CRIME also wrote the BEAST attack. The attack can allow an attacker to recover web cookies and thereby perform session hijacking attacks, much like BEAST and the specific restrictions for the attack are similar. The attacker requires the ability to repeatedly inject predictable data whilst monitoring the resulting encrypted traffic. This requires the attacker to achieve two main prerequisites before the attack is possible: the attacker must be able to observe network traffic and manipulate the victim’s browser to submit requests to the target site.

The manipulation could be possible through Cross-site scripting attacks; JavaScript is not required and an attack could be possible with HTML Injection alone however it would be less efficient.

For CRIME to be possible the server must support compression of the request before encryption. TLS supports DEFLATE which is vulnerable, as is SPDY. The client must also support compression but only a small percentage of browsers do.

What is BEAST?

Browser Exploit Against SSL/TLS

BEAST is an attack against SSL/TLS which is the cryptographic system that protects data sent online. A practical attack was found to be possible against TLS v1.0 and SSLv3.0 (and below). The issue is that the Initialisation Vector (IV) utilised as part of the encryption process can be determined by an attacker. IVs are utilised to prevent encrypted data from being deterministic, they essentially make it harder for attackers to determine patterns in encrypted data. Without them if a repeating pattern is evident in the plaintext then it will be evident in the ciphertext and this type of informations is greatly useful to an attacker. IVs are designed to prevent this, however with the BEAST attack they are shown to be deterministic which greatly reduces their use as a protection mechanism.

It reduces the protection but the deterministic nature is of limited use to an attacker and they are only able to retrieve small amounts of information from the encrypted data, however with attacks against web applications small amounts of data can cause a large impact – if an attacker is able to retrieve information such as session tokens.

Continue reading: What is BEAST?

Heartbleed

CVE-2014-0160

A vulnerability exists in outdated version of OpenSSL which allows an attacker to cause the server to disclose up to 64kb of server memory contents. This can cause secret keys, authentication tokens, usernames and passwords to be compromised. This can lead to an attacker being able to impersonate users and decrypt data transferred between a user and the server.

Continue reading: Heartbleed

HSTS: HTTP Strict Transport Security

HSTS is a web security mechanism to prevent downgrade attacks, it’s a mechanism that allows a web server to instruct web browsers to only communicate with the server over SSL, so that all subsequent traffic is encrypted, even if a user attempts to visit an insecure link (the browser will ‘correct’ the user and request the secure site instead).

Continue reading: HSTS: HTTP Strict Transport Security