Apache Struts2 is an open-source web application framework for Java EE, using MVC architecture. S2-067 is a variant of S2-066, resulting from an incomplete fix. S2-066 exploited case-sensitivity to overwrite filenames for directory traversal; S2-067 uses a different mechanism. In Struts2, parameter key names undergo OGNL expression evaluation. Although strict validation prevents RCE, expression evaluation still occurs. S2-67 exploits this to overwrite filenames during file upload, causing directory traversal. The exploit uses the OGNL expression top.fileFileName as part of a parameter key name, allowing path traversal to overwrite the filename and upload a JSP webshell outside the restricted directory.
Apache Struts2 is a popular open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API and encourages developers to adopt the Model-View-Controller (MVC) architecture. The framework provides developers with a rich set of tags and utilities to build enterprise-grade web applications that are easy to maintain and extend.
S2-067 is a variant of the S2-066 vulnerability, resulting from an incomplete fix for S2-066. While S2-066 exploited a case-sensitivity comparison issue to overwrite the filename and achieve directory traversal, S2-067 leverages a different mechanism to accomplish the same goal.
In Struts2, when parameters are passed, the parameter key names are all evaluated as OGNL expressions. This characteristic has historically led to multiple remote command execution vulnerabilities through OGNL expression injection. Although Struts2 has implemented strict parameter key name validation to prevent RCE vulnerabilities, expression evaluation still occurs. S2-067 exploits this expression evaluation mechanism to once again overwrite the filename during file upload, ultimately leading to a directory traversal issue.
Run the following command to start a web server built with Struts2 2.5.33:
docker compose up -d
Once the environment is up, visit http://your-ip:8080 to see the application page, which is a simple file upload page.
Vulnerability Reproduction
Before reproducing the S2-067 vulnerability, you should first read through S2-066 and understand the vulnerability's underlying principle.
In this environment, we can no longer use the same payload as in S2-066, because the case-sensitivity issue has been fixed:
By including the OGNL expression top.fileFileName as part of the filename parameter key, the file can once again be uploaded outside the restricted upload directory:
S2-067 File Upload Path Traversal Vulnerability (CVE-2024-53677)
top.fileFileNameas part of a parameter key name, allowing path traversal to overwrite the filename and upload a JSP webshell outside the restricted directory.Apache Struts2 is a popular open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API and encourages developers to adopt the Model-View-Controller (MVC) architecture. The framework provides developers with a rich set of tags and utilities to build enterprise-grade web applications that are easy to maintain and extend.
S2-067 is a variant of the S2-066 vulnerability, resulting from an incomplete fix for S2-066. While S2-066 exploited a case-sensitivity comparison issue to overwrite the filename and achieve directory traversal, S2-067 leverages a different mechanism to accomplish the same goal.
In Struts2, when parameters are passed, the parameter key names are all evaluated as OGNL expressions. This characteristic has historically led to multiple remote command execution vulnerabilities through OGNL expression injection. Although Struts2 has implemented strict parameter key name validation to prevent RCE vulnerabilities, expression evaluation still occurs. S2-067 exploits this expression evaluation mechanism to once again overwrite the filename during file upload, ultimately leading to a directory traversal issue.
References:
Environment Setup
Run the following command to start a web server built with Struts2 2.5.33:
Once the environment is up, visit http://your-ip:8080 to see the application page, which is a simple file upload page.
Vulnerability Reproduction
Before reproducing the S2-067 vulnerability, you should first read through S2-066 and understand the vulnerability's underlying principle.
In this environment, we can no longer use the same payload as in S2-066, because the case-sensitivity issue has been fixed:
By including the OGNL expression top.fileFileName as part of the filename parameter key, the file can once again be uploaded outside the restricted upload directory:
Key points to note during exploitation:
The JSP file is now uploaded outside the restricted upload directory and can be executed:
You can now access the webshell by visiting http://your-ip:8080/shell.jsp.