March 13, 2017

Talos has observed a new Apache vulnerability that is being actively exploited in the wild. The vulnerability (CVE-2017-5638) is a remote code execution bug that affects the Jakarta Multipart parser in Apache Struts, referenced in this security advisory. Talos began investigating for exploitation attempts and found a high number of exploitation events. The majority of the exploitation attempts seem to be leveraging a publicly released PoC that is being used to run various commands. Talos has observed simple commands  as well as more sophisticated commands including pulling down a malicious ELF executable and execution.

With exploitation actively underway Talos recommends immediate upgrading if possible or following the work around referenced in the above security advisory.
Exploitation Attempts

In searching through data Talos was able to find ample examples of the vulnerability being targeted and detection was covered by signatures that were released on 3/7/2017 (41818, 41819).

 

Vulnerability Analysis

 

Apache uses org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest to upload file.

 

 

In the exploit, #nike=’multipart/form-data’ will make the expression as true. Then function getMultiPartRequest() will be executed. It will configure struts.multipart.parser attribute using org.apache.struts2.dispatcher.multipart.JakartaMultiPartRequest.

 

 

The struts.multipart.parser used by the fileUpload interceptor to handle HTTP POST requests, encoded using the MIME-type multipart/form-data, can be changed out. Currently there are two choices, jakarta and pell. The jakarta parser is a standard part of the Struts 2 framework and needs only its required libraries added to a project. The pell parser uses Jason Pell’s multipart parser instead of the Commons-FileUpload library. The pell parser is a Struts 2 plugin, for more details see: pell multipart plugin. There was a third alternative, cos, but it was removed due to licensing incompatibilities.

 

 

Finally, Struts2 uses LocalizedTextUtil.findText in function buildErrorMessage to build the error message while the exploit takes advantage of LocalizedTextUtil.findText to execute OGNL commands.

 

 

Simple Probing

Below is an example of some simple probing attacks that are ongoing just checking to see if a system is vulnerable by executing a simple Linux based command.

 

 

Running the PoC will create a text file in /tmp folder in the target:

 

 

Attack Mitigation

One way to mitigate these targeted attacks is via Apache Struts patches. Patching the web server can be a never-ending race. New patches are released much faster than organizations can run them through staging, testing and then push them into production. An alternative solution is virtual patching through an external security tool like a Web Application Firewall (WAF), which provides immediate protection to the web servers and applications maintaining business continuity while the right patch is developed, staged and tested.

Share

Exploit Databases

Author: Martin Voelk
November 27, 2014

What are exploits? Exploits are software snippets which have been written by Security Professionals or Hackers in order to exploit a vulnerability or flaw in a software or service. Exploits will alter the program flow and typically execute third party code on the victim machine. The sole purpose of exploitation is to alter the intended functions of a system or service in order to gain access to the target system.

There are hundreds of exploits available on public websites.

The 2 main publicly available ones are:

  • securityfocus.com
  • exploit-db.com

There are also a number of websites and individuals who trade so-called ZERO-DAY exploits. Those exploits are exploits, where the vendors don’t have provided a bug fix or update yet, because those exploits haven’t been made known to the public. Dependent on gravity of the exploit, they are trade legally and illegally for tens of thousands of dollars. One of those providers is

  • vupen.com
Share