Vulnerabilities > CVE-2014-0094 - Classloader Manipulation Security Bypass vulnerability in RETIRED: Apache Struts
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
The ParametersInterceptor in Apache Struts before 2.3.16.2 allows remote attackers to "manipulate" the ClassLoader via the class parameter, which is passed to the getClass method.
Vulnerable Configurations
Exploit-Db
id EDB-ID:41690 last seen 2018-11-30 modified 2014-03-06 published 2014-03-06 reporter Exploit-DB source https://www.exploit-db.com/download/41690 title Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit) description Apache Struts ClassLoader Manipulation Remote Code Execution. CVE-2014-0094,CVE-2014-0112,CVE-2014-0113. Remote exploits for multiple platform id EDB-ID:33142 last seen 2016-02-03 modified 2014-05-02 published 2014-05-02 reporter metasploit source https://www.exploit-db.com/download/33142/ title Apache Struts ClassLoader Manipulation Remote Code Execution
Metasploit
| description | This module exploits a remote command execution vulnerability in Apache Struts versions 1.x (<= 1.3.10) and 2.x (< 2.3.16.2). In Struts 1.x the problem is related with the ActionForm bean population mechanism while in case of Struts 2.x the vulnerability is due to the ParametersInterceptor. Both allow access to 'class' parameter that is directly mapped to getClass() method and allows ClassLoader manipulation. As a result, this can allow remote attackers to execute arbitrary Java code via crafted parameters. |
| id | MSF:EXPLOIT/MULTI/HTTP/STRUTS_CODE_EXEC_CLASSLOADER |
| last seen | 2020-06-05 |
| modified | 2019-01-29 |
| published | 2014-04-29 |
| references |
|
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/struts_code_exec_classloader.rb |
| title | Apache Struts ClassLoader Manipulation Remote Code Execution |
Nessus
NASL family CGI abuses NASL id MYSQL_ENTERPRISE_MONITOR_2_3_17.NASL description According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by multiple vulnerabilities : - A flaw exists within last seen 2020-06-01 modified 2020-06-02 plugin id 83293 published 2015-05-08 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83293 title MySQL Enterprise Monitor < 2.3.17 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(83293); script_version("1.7"); script_cvs_date("Date: 2019/11/22"); script_cve_id( "CVE-2014-0050", "CVE-2014-0094", "CVE-2014-0112", "CVE-2014-0113", "CVE-2014-0116" ); script_bugtraq_id( 65400, 65999, 67064, 67081, 67218 ); script_xref(name:"CERT", value:"719225"); script_xref(name:"EDB-ID", value:"33142"); script_xref(name:"EDB-ID", value:"31615"); script_name(english:"MySQL Enterprise Monitor < 2.3.17 Multiple Vulnerabilities"); script_summary(english:"Checks the version of MySQL Enterprise Monitor."); script_set_attribute(attribute:"synopsis", value: "A web application running on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by multiple vulnerabilities : - A flaw exists within 'MultipartStream.java' in Apache Commons FileUpload when parsing malformed Content-Type headers. A remote attacker, using a crafted header, can exploit this to cause an infinite loop, resulting in a denial of service. (CVE-2014-0050) - Security bypass flaws exist in the ParametersInterceptor and CookieInterceptor classes, within the included Apache Struts 2 component, which are due to a failure to properly restrict access to their getClass() methods. A remote attacker, using a crafted request, can exploit these flaws to manipulate the ClassLoader, thus allowing the execution of arbitrary code or modification of the session state. Note that vulnerabilities CVE-2014-0112 and CVE-2014-0116 occurred because the patches for CVE-2014-0094 and CVE-2014-0113, respectively, were not complete fixes. (CVE-2014-0094, CVE-2014-0112, CVE-2014-0113, CVE-2014-0116)"); # https://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?56618dc1"); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-021"); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-022"); script_set_attribute(attribute:"solution", value: "Upgrade to MySQL Enterprise Monitor 2.3.17 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache Struts ClassLoader Manipulation Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/02"); script_set_attribute(attribute:"patch_publication_date", value:"2014/05/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/08"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mysql:enterprise_monitor"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mysql_enterprise_monitor_web_detect.nasl"); script_require_keys("installed_sw/MySQL Enterprise Monitor"); script_require_ports("Services/www", 18080); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "MySQL Enterprise Monitor"; get_install_count(app_name:app, exit_if_zero:TRUE); fix = "2.3.17"; port = get_http_port(default:18080); install = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE); version = install['version']; install_url = build_url(port:port, qs:"/"); if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0) { if (report_verbosity > 0) { report = '\n URL : ' + install_url + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_hole(port:port, extra:report); } else security_hole(port); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);NASL family CGI abuses NASL id MYSQL_ENTERPRISE_MONITOR_3_0_11.NASL description According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by multiple vulnerabilities : - A flaw exists within last seen 2020-06-01 modified 2020-06-02 plugin id 83295 published 2015-05-08 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83295 title MySQL Enterprise Monitor 3.0.x < 3.0.11 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(83295); script_version("1.7"); script_cvs_date("Date: 2019/11/22"); script_cve_id( "CVE-2014-0050", "CVE-2014-0094", "CVE-2014-0112", "CVE-2014-0113", "CVE-2014-0116" ); script_bugtraq_id( 65400, 65999, 67064, 67081, 67218 ); script_xref(name:"CERT", value:"719225"); script_xref(name:"EDB-ID", value:"33142"); script_xref(name:"EDB-ID", value:"31615"); script_name(english:"MySQL Enterprise Monitor 3.0.x < 3.0.11 Multiple Vulnerabilities"); script_summary(english:"Checks the version of MySQL Enterprise Monitor."); script_set_attribute(attribute:"synopsis", value: "A web application running on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by multiple vulnerabilities : - A flaw exists within 'MultipartStream.java' in Apache Commons FileUpload when parsing malformed Content-Type headers. A remote attacker, using a crafted header, can exploit this to cause an infinite loop, resulting in a denial of service. (CVE-2014-0050) - Security bypass flaws exist in the ParametersInterceptor and CookieInterceptor classes, within the included Apache Struts 2 component, which are due to a failure to properly restrict access to their getClass() methods. A remote attacker, using a crafted request, can exploit these flaws to manipulate the ClassLoader, thus allowing the execution of arbitrary code or modification of the session state. Note that vulnerabilities CVE-2014-0112 and CVE-2014-0116 occurred because the patches for CVE-2014-0094 and CVE-2014-0113, respectively, were not complete fixes. (CVE-2014-0094, CVE-2014-0112, CVE-2014-0113, CVE-2014-0116)"); # https://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?56618dc1"); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-021"); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-022"); script_set_attribute(attribute:"solution", value: "Upgrade to MySQL Enterprise Monitor 3.0.11 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache Struts ClassLoader Manipulation Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/02"); script_set_attribute(attribute:"patch_publication_date", value:"2014/05/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/08"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mysql:enterprise_monitor"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mysql_enterprise_monitor_web_detect.nasl"); script_require_keys("installed_sw/MySQL Enterprise Monitor"); script_require_ports("Services/www", 18443); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); app = "MySQL Enterprise Monitor"; get_install_count(app_name:app, exit_if_zero:TRUE); fix = "3.0.11"; port = get_http_port(default:18443); install = get_single_install(app_name:app, port:port, exit_if_unknown_ver:TRUE); version = install['version']; install_url = build_url(port:port, qs:"/"); if (version =~ "^3\.0($|[^0-9])" && ver_compare(ver:version, fix:fix, strict:FALSE) < 0) { if (report_verbosity > 0) { report = '\n URL : ' + install_url + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_hole(port:port, extra:report); } else security_hole(port); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, version);NASL family Misc. NASL id VCENTER_OPERATIONS_MANAGER_VMSA_2014-0007.NASL description The version of vCenter Operations Manager installed on the remote host is prior to 5.8.2. It is, therefore, affected by the following vulnerabilities : - An error exists in the included Apache Tomcat version related to handling last seen 2020-06-01 modified 2020-06-02 plugin id 76388 published 2014-07-07 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76388 title VMware vCenter Operations Management Suite Multiple Vulnerabilities (VMSA-2014-0007) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(76388); script_version("1.8"); script_cvs_date("Date: 2018/08/06 14:03:14"); script_cve_id("CVE-2014-0050", "CVE-2014-0094", "CVE-2014-0112"); script_bugtraq_id(65400, 65999, 67064); script_xref(name:"VMSA", value:"2014-0007"); script_xref(name:"IAVB", value:"2014-B-0090"); script_name(english:"VMware vCenter Operations Management Suite Multiple Vulnerabilities (VMSA-2014-0007)"); script_summary(english:"Checks version of vCenter Operations Manager."); script_set_attribute(attribute:"synopsis", value: "The remote host has a virtualization appliance installed that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of vCenter Operations Manager installed on the remote host is prior to 5.8.2. It is, therefore, affected by the following vulnerabilities : - An error exists in the included Apache Tomcat version related to handling 'Content-Type' HTTP headers and multipart requests such as file uploads that could allow denial of service attacks. (CVE-2014-0050) - A security bypass error exists due to the included Apache Struts2 component, allowing manipulation of the ClassLoader via the 'class' parameter, which is directly mapped to the getClass() method. A remote, unauthenticated attacker can take advantage of this issue to manipulate the ClassLoader used by the application server, allowing for the bypass of certain security restrictions. Note that CVE-2014-0112 exists because CVE-2014-0094 was not a complete fix. (CVE-2014-0094, CVE-2014-0112)"); script_set_attribute(attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2014/000257.html"); # https://www.vmware.com/support/vcops/doc/vcops-582-vapp-release-notes.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4d46f364"); # https://www.vmware.com/support/vcops/doc/vcops-582-installable-release-notes.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1fe3ac72"); # http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2081470 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?be20e92d"); script_set_attribute(attribute:"solution", value: "Upgrade to vCenter Operations Manager 5.7.3 / 5.8.2 or later. Alternatively, the vendor has provided a workaround for the security bypass error."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache Struts ClassLoader Manipulation Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/25"); script_set_attribute(attribute:"patch_publication_date", value:"2014/06/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/07/07"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:vcenter_operations"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/VMware vCenter Operations Manager/Version"); script_require_ports("Services/ssh", 22); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); version = get_kb_item_or_exit("Host/VMware vCenter Operations Manager/Version"); fix = NULL; # 0.x - 4.x / 5.0.x - 5.6.x # - update with alt. version(s) when patch is available if (version =~ "^([0-4]|5\.[0-6])($|[^0-9])") fix = "5.8.2"; # 5.7.x < 5.7.3 else if (version =~ "^5\.7\." && ver_compare(ver:version, fix:'5.7.3', strict:FALSE) < 0) fix = "5.7.3"; # 5.8.x < 5.8.2 else if (version =~ "^5\.8\." && ver_compare(ver:version, fix:'5.8.2', strict:FALSE) < 0) fix = "5.8.2"; if (!isnull(fix)) { if (report_verbosity > 0) { report = '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_hole(port:0, extra:report); } else security_hole(0); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, 'VMware vCenter Operations Manager', version);NASL family CGI abuses NASL id STRUTS_2_3_16_1_CLASSLOADER_MANIPULATION.NASL description The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. The version of Struts 2 in use is affected by a security bypass vulnerability due to the application allowing manipulation of the ClassLoader via the last seen 2020-06-01 modified 2020-06-02 plugin id 73203 published 2014-03-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73203 title Apache Struts 2 'class' Parameter ClassLoader Manipulation code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(73203); script_version("1.15"); script_cvs_date("Date: 2019/11/26"); script_cve_id("CVE-2014-0094"); script_bugtraq_id(65999); script_xref(name:"CERT", value:"719225"); script_name(english:"Apache Struts 2 'class' Parameter ClassLoader Manipulation"); script_summary(english:"Attempts to generate a ClassLoader error."); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a web application that uses a Java framework that is affected by a security bypass vulnerability."); script_set_attribute(attribute:"description", value: "The remote web application appears to use Struts 2, a web framework that utilizes OGNL (Object-Graph Navigation Language) as an expression language. The version of Struts 2 in use is affected by a security bypass vulnerability due to the application allowing manipulation of the ClassLoader via the 'class' parameter, which is directly mapped to the getClass() method. A remote, unauthenticated attacker can take advantage of this issue to manipulate the ClassLoader used by the application server, allowing for the bypass of certain security restrictions. Note that this plugin will only report the first vulnerable instance of a Struts 2 application. Note also that the application may also be affected by a denial of service vulnerability; however, Nessus has not tested for this additional issue."); # https://cwiki.apache.org/confluence/display/WW/S2-020 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2926fce9"); # https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.16.2 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e39cc37e"); script_set_attribute(attribute:"solution", value: "Upgrade to version 2.3.16.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-0094"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache Struts ClassLoader Manipulation Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/06"); script_set_attribute(attribute:"patch_publication_date", value:"2014/03/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/26"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("http_version.nasl", "webmirror.nasl"); script_require_ports("Services/www", 80, 8080); exit(0); } include('audit.inc'); include('global_settings.inc'); include('http.inc'); include('misc_func.inc'); port = get_http_port(default:8080); cgis = get_kb_list('www/' + port + '/cgi'); urls = make_list(); # To identify actions that we can test the exploit on we will look # for files with the .action / .jsp / .do suffix from the KB. if (!isnull(cgis)) { foreach cgi (cgis) { match = pregmatch(pattern:"((^.*)(/.+\.act(ion)?)($|\?|;))", string:cgi); if (!isnull(match)) { urls = make_list(urls, match[0]); if (!thorough_tests) break; } match2 = pregmatch(pattern:"(^.*)(/.+\.jsp)$", string:cgi); if (!isnull(match2)) { urls = make_list(urls, match2[0]); if (!thorough_tests) break; } match3 = pregmatch(pattern:"(^.*)(/.+\.do)$", string:cgi); if (!isnull(match3)) { urls = make_list(urls, match3[0]); if (!thorough_tests) break; } if (cgi =~ "struts2?(-rest)?-showcase") { urls = make_list(urls, cgi); if (!thorough_tests) break; } } } if (thorough_tests) { cgi2 = get_kb_list('www/' + port + '/content/extensions/act*'); if (!isnull(cgi2)) urls = make_list(urls, cgi2); cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp'); if (!isnull(cgi3)) urls = make_list(urls, cgi3); cgi4 = get_kb_list('www/' + port + '/content/extensions/do'); if (!isnull(cgi4)) urls = make_list(urls, cgi4); } # Always check web root urls = make_list(urls, '/'); # Struts is slow timeout = get_read_timeout() * 2; if(timeout < 10) timeout = 10; http_set_read_timeout(timeout); urls = list_uniq(urls); script = SCRIPT_NAME - '.nasl' + '-' + unixtime(); pat = '(Invalid field value for field|No result defined for action)'; foreach url (urls) { res = http_send_recv3( method : 'GET', port : port, item : url, exit_on_fail : TRUE ); chk1 = egrep(pattern:pat, string:res[2], icase:TRUE); vuln_url = url + '?class.classLoader.URLs[0]=' + script; res = http_send_recv3( method : 'GET', port : port, item : vuln_url, fetch404 : TRUE, exit_on_fail : TRUE ); pat_match = pregmatch(pattern:pat, string:res[2], icase:TRUE); if ( !isnull(pat_match) && (res[0] =~ "200 OK|404 Not Found") && (!chk1) && (!empty_or_null(pat_match[1])) ) { vuln = TRUE; output = strstr(res[2], pat_match[1]); if (empty_or_null(output)) output = res[2]; # Stop after first vulnerable Struts app is found break; } } if (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.'); security_report_v4( port : port, severity : SECURITY_WARNING, generic : TRUE, request : make_list(build_url(qs:vuln_url, port:port)), output : chomp(output) );NASL family Windows NASL id STRUTS_2_3_16_1_WIN_LOCAL.NASL description This plugin has been deprecated and replaced by struts_2_3_16_1.nasl (plugin ID 117393). last seen 2019-02-21 modified 2018-09-12 plugin id 81105 published 2015-01-30 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=81105 title Apache Struts 2.0.0 < 2.3.16.1 Multiple Vulnerabilities (credentialed check) (Deprecated) code # # (C) Tenable Network Security, Inc. # # @DEPRECATED@ # # Disabled on 9/12/2018. Use struts_2_3_16_1.nasl instead include("compat.inc"); if (description) { script_id(81105); script_version("1.7"); script_cvs_date("Date: 2018/09/12 7:22:56"); script_cve_id("CVE-2014-0050", "CVE-2014-0094"); script_bugtraq_id(65400, 65999); script_xref(name:"CERT", value:"719225"); script_name(english:"Apache Struts 2.0.0 < 2.3.16.1 Multiple Vulnerabilities (credentialed check) (Deprecated)"); script_summary(english:"Checks the Struts 2 version."); script_set_attribute(attribute:"synopsis", value: "This plugin has been deprecated."); script_set_attribute(attribute:"description", value: "This plugin has been deprecated and replaced by struts_2_3_16_1.nasl (plugin ID 117393)."); script_set_attribute(attribute:"see_also", value:"http://struts.apache.org/docs/version-notes-23161.html"); script_set_attribute(attribute:"see_also", value:"http://struts.apache.org/docs/s2-020.html"); script_set_attribute(attribute:"solution", value:"N/A."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache Struts ClassLoader Manipulation Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/06"); script_set_attribute(attribute:"patch_publication_date", value:"2014/03/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/30"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("struts_detect_win.nbin"); script_require_keys("installed_sw/Apache Struts", "Settings/ParanoidReport"); exit(0); } exit(0, "This plugin has been deprecated. Use struts_2_3_16_1.nasl (plugin ID 117393) instead."); include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); app = "Apache Struts"; install = get_single_install(app_name : app); version = install['version']; path = install['path']; appname = install['Application Name']; fix = "2.3.16.1"; report = NULL; if (version == UNKNOWN_VER) audit(AUDIT_UNKNOWN_APP_VER, ("the " + app + " application, " + appname + ", found at " + path + ",")); if (report_paranoia < 2) audit(AUDIT_PARANOID); if ( version =~ "^2\." && ver_compare(ver:version, fix:fix, strict:FALSE) == -1 ) { port = get_kb_item("SMB/transport"); if (!port) port = 445; report += '\n Application : ' + appname + '\n Physical path : ' + path + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; } if (!isnull(report)) { port = get_kb_item("SMB/transport"); if (isnull(port)) port = 445; if (report_verbosity > 0) security_warning(port:port, extra:report); else security_warning(port); } else audit(AUDIT_INST_PATH_NOT_VULN, (app + " 2 application, " + appname + ","), version, path);NASL family Misc. NASL id STRUTS_2_3_16_1.NASL description The version of Apache Struts running on the remote host is 2.x prior to 2.3.16.2. It, therefore, is affected by multiple vulnerabilities: - A denial of service vulnerability exists in MultipartStrea.java in Apache Commons FileUpload due to failure to handle exceptional conditions. A remote, unauthenticated attacker can exploit this issue to cause the application to enter an infinite loop which may cause a denial of service condition. (CVE-2014-0050) - A class loader manipulation flaw exists in ParameterInterceptor due to improper validation of input data. An attacker can exploit this issue to bypass certain security restriction and manipulate the ClassLoader. (CVE-2015-0094) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 117393 published 2018-09-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117393 title Apache Struts 2.x < 2.3.16.2 Multiple Vulnerabilities (S2-020) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(117393); script_version("1.11"); script_cvs_date("Date: 2019/11/05"); script_cve_id("CVE-2014-0050", "CVE-2014-0094"); script_bugtraq_id(65400, 65999); script_name(english:"Apache Struts 2.x < 2.3.16.2 Multiple Vulnerabilities (S2-020)"); script_summary(english:"Checks the Struts 2 version."); script_set_attribute(attribute:"synopsis", value: "A web application running on the remote host uses a Java framework that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Apache Struts running on the remote host is 2.x prior to 2.3.16.2. It, therefore, is affected by multiple vulnerabilities: - A denial of service vulnerability exists in MultipartStrea.java in Apache Commons FileUpload due to failure to handle exceptional conditions. A remote, unauthenticated attacker can exploit this issue to cause the application to enter an infinite loop which may cause a denial of service condition. (CVE-2014-0050) - A class loader manipulation flaw exists in ParameterInterceptor due to improper validation of input data. An attacker can exploit this issue to bypass certain security restriction and manipulate the ClassLoader. (CVE-2015-0094) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); # https://cwiki.apache.org/confluence/display/WW/S2-020 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2926fce9"); # https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.16.2 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e39cc37e"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache Struts version 2.3.16.2 or later"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-0050"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache Struts ClassLoader Manipulation Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"agent", value:"all"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/03/01"); script_set_attribute(attribute:"patch_publication_date", value:"2014/03/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/10"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("os_fingerprint.nasl", "struts_detect_win.nbin", "struts_detect_nix.nbin", "struts_config_browser_detect.nbin"); script_require_keys("Settings/ParanoidReport"); script_require_ports("installed_sw/Apache Struts", "installed_sw/Struts"); exit(0); } include('vcf.inc'); if (report_paranoia < 2) audit(AUDIT_PARANOID); app_info = vcf::combined_get_app_info(app:'Apache Struts'); vcf::check_granularity(app_info:app_info, sig_segments:3); constraints = [ { 'min_version' : '2.0.0', 'fixed_version' : '2.3.16.2' } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);NASL family Misc. NASL id IBM_STORWIZE_1_5_0_2.NASL description The remote IBM Storwize device is running a version that is 1.3.x prior to 1.4.3.4 or 1.5.x prior to 1.5.0.2. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists due to a flaw in the bundled version of Apache HTTP Server. A remote attacker can exploit this, via partial HTTP requests, to cause a daemon outage, resulting in a denial of service condition. (CVE-2007-6750) - An HTTP request smuggling vulnerability exists due to a flaw in the bundled version of Apache Tomcat; when an HTTP connector or AJP connector is used, Tomcat fails to properly handle certain inconsistent HTTP request headers. A remote attacker can exploit this flaw, via multiple Content-Length headers or a Content-Length header and a last seen 2020-06-01 modified 2020-06-02 plugin id 84401 published 2015-06-26 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84401 title IBM Storwize 1.3.x < 1.4.3.4 / 1.5.x < 1.5.0.2 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(84401); script_version("1.10"); script_cvs_date("Date: 2019/11/22"); script_cve_id( "CVE-2007-6750", "CVE-2013-4286", "CVE-2013-4322", "CVE-2014-0075", "CVE-2014-0094", "CVE-2014-0096", "CVE-2014-0099", "CVE-2014-0119", "CVE-2014-0178", "CVE-2014-1555", "CVE-2014-1556", "CVE-2014-1557", "CVE-2014-3077", "CVE-2014-3493", "CVE-2014-4811" ); script_bugtraq_id( 21865, 65767, 65773, 65999, 67667, 67668, 67669, 67671, 67686, 68150, 68814, 68822, 68824, 69771, 69773 ); script_xref(name:"CERT", value:"719225"); script_name(english:"IBM Storwize 1.3.x < 1.4.3.4 / 1.5.x < 1.5.0.2 Multiple Vulnerabilities"); script_summary(english:"Checks for vulnerable Storwize versions."); script_set_attribute(attribute:"synopsis", value: "The remote IBM Storwize device is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote IBM Storwize device is running a version that is 1.3.x prior to 1.4.3.4 or 1.5.x prior to 1.5.0.2. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists due to a flaw in the bundled version of Apache HTTP Server. A remote attacker can exploit this, via partial HTTP requests, to cause a daemon outage, resulting in a denial of service condition. (CVE-2007-6750) - An HTTP request smuggling vulnerability exists due to a flaw in the bundled version of Apache Tomcat; when an HTTP connector or AJP connector is used, Tomcat fails to properly handle certain inconsistent HTTP request headers. A remote attacker can exploit this flaw, via multiple Content-Length headers or a Content-Length header and a 'Transfer-Encoding: chunked' header, to smuggle an HTTP request in one or more Content-Length headers. (CVE-2013-4286) - A denial of service vulnerability exists in the bundled version of Apache Tomcat due to improper processing of chunked transfer coding with a large amount of chunked data or whitespace characters in an HTTP header value within a trailer field. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2013-4322) - A denial of service vulnerability exists due to a flaw in the bundled version of Apache Tomcat; an integer overflow condition exists in the parseChunkHeader() function in ChunkedInputFilter.java. A remote attacker can exploit this, via a malformed chunk size that is part of a chunked request, to cause excessive consumption of resources, resulting in a denial of service condition. (CVE-2014-0075) - A remote code execution vulnerability exists due to a flaw in the bundled version of Apache Struts. A remote attacker can manipulate the ClassLoader via the class parameter, resulting in the execution of arbitrary Java code. (CVE-2014-0094) - An XML External Entity (XXE) injection vulnerability exists due to a flaw in the bundled version of Apache Tomcat; an incorrectly configured XML parser accepts XML external entities from an untrusted source via XSLT. A remote attacker can exploit this, by sending specially crafted XML data, to gain access to arbitrary files. (CVE-2014-0096) - An integer overflow condition exists in the bundled version of Apache Tomcat. A remote attacker, via a crafted Content-Length HTTP header, can conduct HTTP request smuggling attacks. (CVE-2014-0099) - An information disclosure vulnerability exists due to a flaw in the bundled version of Apache Tomcat. Tomcat fails to properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet. A remote attacker can exploit this, via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, to read arbitrary files. (CVE-2014-0119) - A flaw exists in a bundled version of Samba due to a flaw in the vfswrap_fsctl() function that is triggered when responding to FSCTL_GET_SHADOW_COPY_DATA or FSCTL_SRV_ENUMERATE_SNAPSHOTS client requests. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to disclose sensitive information from process memory. (CVE-2014-0178) - Multiple flaws exist in the bundled version of Mozilla Firefox that allow a remote attacker to execute arbitrary code. (CVE-2014-1555, CVE-2014-1556, CVE-2014-1557) - An information disclosure vulnerability exists due to the chkauth password being saved in plaintext in the audit log. A local attacker can exploit this to gain administrator access. (CVE-2014-3077) - A denial of service vulnerability exists due to a flaw in the bundled version of Samba. An authenticated, remote attacker can exploit this, via an attempt to read a Unicode pathname without specifying the use of Unicode, to cause an application crash. (CVE-2014-3493) - A security bypass vulnerability exists due to an unspecified flaw. A remote attacker can exploit this flaw to reset the administrator password to its default value via a direct request to the administrative IP address. Note that this vulnerability only affects the 1.4.x release levels. (CVE-2014-4811)"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004834"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004836"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004837"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004854"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004860"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004861"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004867"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004869"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004835"); script_set_attribute(attribute:"solution", value: "Upgrade to IBM Storwize version 1.4.3.4 / 1.5.0.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-1557"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache Struts ClassLoader Manipulation Remote Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/01/03"); script_set_attribute(attribute:"patch_publication_date", value:"2015/07/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/26"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/h:ibm:storwize_unified_v7000"); script_set_attribute(attribute:"cpe", value:"cpe:/h:ibm:storwize_v7000"); script_set_attribute(attribute:"cpe", value:"cpe:/h:ibm:storwize_v5000"); script_set_attribute(attribute:"cpe", value:"cpe:/h:ibm:storwize_v3700"); script_set_attribute(attribute:"cpe", value:"cpe:/h:ibm:storwize_v3500"); script_set_attribute(attribute:"cpe", value:"cpe:/h:ibm:san_volume_controller"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:storwize_v7000_unified_software"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:storwize_v7000_software"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:storwize_v5000_software"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:storwize_v3700_software"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:storwize_v3500_software"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:san_volume_controller_software"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ibm_storwize_detect.nbin"); script_require_keys("Host/IBM/Storwize/version", "Host/IBM/Storwize/machine_major", "Host/IBM/Storwize/display_name"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); version = get_kb_item_or_exit("Host/IBM/Storwize/version"); machine_major = get_kb_item_or_exit("Host/IBM/Storwize/machine_major"); display_name = get_kb_item_or_exit("Host/IBM/Storwize/display_name"); if ( machine_major != "2073" && # V7000 Unified machine_major != "2071" && # V3500 machine_major != "2072" && # V3700 machine_major != "2076" && # V7000 machine_major != "2077" && # V5000 machine_major != "2145" && # SAN Volume Controller machine_major != "4939" # Flex System V7000 Storage Node ) audit(AUDIT_DEVICE_NOT_VULN, display_name); if (version == UNKNOWN_VER || version == "Unknown") audit(AUDIT_UNKNOWN_APP_VER, display_name); if (machine_major == "2073") { if (version =~ "^1\.[3-4]\.") fix = "1.4.3.4"; else if (version =~ "^1\.5\.") fix = "1.5.0.2"; else audit(AUDIT_DEVICE_NOT_VULN, display_name, version); } else { if (version =~ "^((6\.[1234])|(7\.[12]))\.") fix = "7.2.0.8"; else if (version =~ "^7\.3\.") fix = "7.3.0.5"; else audit(AUDIT_DEVICE_NOT_VULN, display_name, version); } if (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0) audit(AUDIT_DEVICE_NOT_VULN, display_name, version); if (report_verbosity > 0) { report = '\n Name : ' + display_name + '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n'; security_hole(port:0, extra:report); } else security_hole(port:0);
Packetstorm
| data source | https://packetstormsecurity.com/files/download/126445/struts_code_exec_classloader.rb.txt |
| id | PACKETSTORM:126445 |
| last seen | 2016-12-05 |
| published | 2014-05-02 |
| reporter | Mark Thomas |
| source | https://packetstormsecurity.com/files/126445/Apache-Struts-ClassLoader-Manipulation-Remote-Code-Execution.html |
| title | Apache Struts ClassLoader Manipulation Remote Code Execution |
Seebug
| bulletinFamily | exploit |
| description | CVE ID:CVE-2014-0094 Struts2 是第二代基于Model-View-Controller (MVC)模型的java企业级web应用框架。 该应用程序允许访问直接映射到“getClass()”方法的“class”参数 ,这可以被利用来操纵所使用的应用程序服务器的ClassLoader。 0 Apache Struts 2.x 厂商补丁: Apache ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://struts.apache.org/release/2.3.x/docs/s2-020.html |
| id | SSV:61709 |
| last seen | 2017-11-19 |
| modified | 2014-03-10 |
| published | 2014-03-10 |
| reporter | Root |
| title | Apache Struts ClassLoader操作漏洞 |
References
- http://jvn.jp/en/jp/JVN19294237/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2014-000045
- http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html
- http://secunia.com/advisories/56440
- http://secunia.com/advisories/59178
- http://struts.apache.org/release/2.3.x/docs/s2-020.html
- http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm
- http://www.konakart.com/downloads/ver-7-3-0-0-whats-new
- http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
- http://www.securityfocus.com/archive/1/531362/100/0/threaded
- http://www.securityfocus.com/archive/1/532549/100/0/threaded
- http://www.securityfocus.com/bid/65999
- http://www.securitytracker.com/id/1029876
- http://www.vmware.com/security/advisories/VMSA-2014-0007.html
- http://www-01.ibm.com/support/docview.wss?uid=swg21676706