Struts 2 S2-016 Vulenerability Mitigation Till Upg

2019-04-29 05:13发布

Recently struts patched a vulnerability allowing attackers to execute remote code. Apparently not patching this is like giving black-hats a red carpet welcome with a bandwagon :-/

http://struts.apache.org/release/2.3.x/docs/s2-016.html

Basically it allows attack command execution like this :

Legit action : http://host/struts2-showcase/employee/save.action?redirect:%25{3*4} Exploited action : http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}

While I know that upgrading should be done ASAP, the as soon as possible will mean some time since our code base uses old struts versions and plugins.

Which will require some refactoring to upgrade the struts 2 libraries, then those need to be tested etc.

My question therefor is whether anyone has any idea to stop this vulnerability from being executed? This will be only till we are able to upgrade.

I was wondering whether writing an interceptor to sanitize the URL before being evaluated against the OGNL is possible and if so will it mitigate this issue?

Other idea I had was to use the Java security manager somehow to stop arbitrary process invocations, is this possible? Will it patch the hole temporary?

The server being used is jBoss if anyone think that's relevant.

3条回答
成全新的幸福
2楼-- · 2019-04-29 05:21

The problem is related to DefaultActionMapper and how it handles special parameters. This class could be extended to override handleSpecialParameters method. However, if you turn off DMI these special parameters no longer work. Use the constant configuration

<constant name="struts.enable.DynamicMethodInvocation" value="false"/>
查看更多
一纸荒年 Trace。
3楼-- · 2019-04-29 05:23

As per the other comment, if you are using Apache in front of Tomcat, you can use this Apache configuration fragment to prevent requests reaching Tomcat:

RewriteEngine On
RewriteCond %{QUERY_STRING} java.lang.ProcessBuilder
RewriteRule (.*) - [F]
查看更多
我想做一个坏孩纸
4楼-- · 2019-04-29 05:28

If you have some web server in front of your application server you can restrict access by url. In Apache there is mod_rewrite module which you can use. Set RewriteCond directive QUERY_STRING variable to some query pattern and redirect to dev/null.

查看更多
登录 后发表回答