struts2 recent mass production vulnerability analysis (2013

Posted by fierce at 2020-03-04

By empty prodigal Weibo: may be due to communication problems, leading to struts 2 official understanding of the s2-012 vulnerability name I submitted. The vulnerability is described as a vulnerability in a sample application of struts 2, but struts 2 is patched according to the vulnerability in the frame. This s2-012 actually caused a series of murders. In fact, I am very angry to post this article. Anyone who has a 0day in his hand and covers it for a long time will be very angry if it is publicized by others. Last year, I released s2-012 vulnerability in xcon. In fact, struts 2 has a similar vulnerability. In struts, the user input received by the framework, in addition to parameters, values, there are other places, such as file names. The flaw is that struts 2 parses the filename in the URL, resulting in the execution of the ognl code. There are some technical details in the process, which are analyzed below. The scam of enableognlevexpression sees the word from the vulnerability announcement, and it's easy to think that struts 2 killed the expression of ognl, and you can choose to end everything. In fact, one of the ways of calling of ognl is prohibited, and this way of calling is only called in s2-013. Struts2 has another powerful code, which is really defending the vulnerability.

Originally written in this way, when the code goes to translateandencode, it will call ognl to execute. Its logic includes two functions: the translate function of ognl and the URLEncode function.

After the patch, it is changed to only URLEncode instead of ognl execution. This has nothing to do with enableognlevexpression.

I didn't look at the content in detail, just look at the change of method name, I feel that I can wash and sleep, and I don't need to follow up. Allowstaticmethodaccess scam has always been the POC standard configuration of struts 2. It has existed since the first POC appeared. On May 27, 2013, a few days ago, you can view the svnlog by yourself. Struts 2 did a dirty thing, and deleted the following code:

This action directly results in a result, which will be executed later in the POC of ognl

There must be an error, because there is no set method. It has the meaning of ending everything, just like there will be a new ognl vulnerability in the future, so you can't write this sentence. But I can bypass this thing. Let's take s2-015 vulnerability as an example. Make complaints about the Struts2 framework s2-015 Tucao. In fact, the publisher has released several vulnerabilities including S2-015 and S2-012. The specific address is at

Very detailed, a colleague thinks that he is better than me in analysis, so I will not write a translation. Let's see for ourselves. Later, I thought about it carefully, and speculated that foreigners might encounter s2-012, which led to the release of this article. Of course, this is just my personal YY. The publisher holds two 0days. Unfortunately, I also have these two 0days. Last year, xcon released one and submitted it to the official, but he didn't know, because the official didn't publicly repair it until this year. A few days ago, the official suddenly publicly fixed an 0day released by me. The foreigner may also be very angry after seeing s2-012. Because the vulnerability is exactly the same as the 0day he analyzed at hand, he was furious and sent it together with other 0days to form an article. As you can see, the publisher directly publishes from the blog, and then the official receives the message to start patching. The trigger code of this vulnerability is very similar to s2-012, so after understanding s2-012, you can think of this 0day, which is easy to be tested. I saw similar use at that time, and found it after testing. I believe there are many loopholes found under similar circumstances. It may not even be in our hands, but you are very annoyed. The POC of s2-015 is as follows:

Since "allow static method access"] = true exists in POC, the publisher mentioned that upgrading to s2-014 can be alleviated. In fact, the publisher misunderstood, but the struts 2 developers did not misunderstand, so they quickly launched s2-015. But if you don't talk about it, you will still find that POC can't be played after s2-014, as the foreigner's article said, has been relieved. How to fight? The POC of ognl has a little trick, which is to allow static method execution. Then the official forbid to modify this setting, which means that static method execution is forbidden forever. Because "@ [email protected]" in POC is actually executing static methods, it is necessary to enable static, but this is just a way of writing java code. We can use another way to get around this limitation.

In this code, no static method is called, just a new object, and then one of the dynamic methods is executed. Therefore, the system command can be executed without allowstaticmethodaccess. This little skill can do many things. 1. You can bypass some WAFS. I won't tell you what they are, so you won't cheat on the prize. 2. It can pave the way for the execution of new ognl code in the future, and avoid 0day coming. We can't write POC because of this. The s2-015 repair simply said that there is no research value here. In this repair, the official adopted the name of limiting action, only

Summarize the input point 1 of ognl expression, the request parameter name 2, the request parameter value 3, the request file name 4, the cookie name 5 of the request, and the body of the repose in struts 2. It seems that the HTTP header is basically faulty, and there is not much left. A popular framework, can appear in so many places remote code execution, is really difficult for struts developers. At the same time, ask the students who use struts, how have you come over these years? In Alibaba, I often analyze the struts 2 vulnerability and issue a report. Sometimes it's 0day, so I need to issue a patch for each project. Finally, when the official release of the patch, we will evaluate whether it needs to be updated back. As a result, we often persuade developers not to use this framework as much as possible, especially in the initial review of the project, we found that struts 2 was repugnant and said many things to scare developers. In this trend, I no longer have any luck with this thing, decided to launch a virtual patch. As for Ali's real plan, I'm sure I can't tell you, but I can talk about ideas. The unified defense solution is upgraded to the latest version first. In the entry of the language of ognl, add the intercepting code. Once the dangerous call is found, directly kill it. The principle of the code is to judge the statement before the execution of ognl and kill the code with blacklist. In theory, developers will not write their own ognl for operating files, executing commands, etc. they can take at most one value from the session, or one value from the page. Override the ognl.ognl class and add the following code:

Why join QQ mailbox? The specific reason is not to say, but only the result. As a result, my email can receive 0day. If you really understand it, guess why? By: Weibo: