Apache Struts framework performs secondary parsing on certain tag attribute values (e.g., id), allowing attackers to inject OGNL expressions that are evaluated during attribute rendering, leading to OGNL expression injection and potential remote code execution. Affected versions: Struts 2.0.0 to 2.5.20. The vulnerability can be reproduced by accessing a URL with an encoded OGNL expression, such as %{233*233}, which gets evaluated. A proof-of-concept (PoC) bypassing the sandbox in Struts 2.5.16 enables system command execution. The provided Python script demonstrates the exploit, successfully executing touch /tmp/success on the target container.
The Apache Struts framework performs a secondary parsing of certain tag attribute values, such as the id attribute. This allows an attacker to pass OGNL expressions that will be parsed again when the tag attributes are rendered, resulting in OGNL expression injection and potentially leading to remote code execution.
S2-059 Remote Code Execution Vulnerability (CVE-2019-0230)
%{233*233}, which gets evaluated. A proof-of-concept (PoC) bypassing the sandbox in Struts 2.5.16 enables system command execution. The provided Python script demonstrates the exploit, successfully executingtouch /tmp/successon the target container.The Apache Struts framework performs a secondary parsing of certain tag attribute values, such as the id attribute. This allows an attacker to pass OGNL expressions that will be parsed again when the tag attributes are rendered, resulting in OGNL expression injection and potentially leading to remote code execution.
Affected versions: Struts 2.0.0 - Struts 2.5.20
References:
Vulnerability Environment
Start the Struts 2.5.16 environment:
After starting the environment, visit http://your-ip:8080/?id=1 to see the test page.
Vulnerability Reproduction
Visit http://your-ip:8080/?id=%25%7B233*233%7D. You can observe that the result of 233*233 has been parsed into the id attribute:
The paper "OGNL Apache Struts exploit: Weaponizing a sandbox bypass (CVE-2018-11776)" provides a POC that bypasses the sandbox in Struts 2.5.16. This POC can be leveraged to execute system commands.
Use the following Python script to reproduce the vulnerability:
After executing the POC, entering the container reveals that touch /tmp/success has been successfully executed.