{"id":84776,"date":"2017-09-07T14:36:18","date_gmt":"2017-09-07T09:06:18","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=84776"},"modified":"2017-09-07T15:23:18","modified_gmt":"2017-09-07T09:53:18","slug":"cve-2017-9805-apache-struts-2-remote-code-execution-vulnerability-quick-heal-security-labs","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/cve-2017-9805-apache-struts-2-remote-code-execution-vulnerability-quick-heal-security-labs\/","title":{"rendered":"CVE-2017-9805 | Apache Struts 2 Remote Code Execution Vulnerability &#8211; An analysis by Quick Heal Security Labs"},"content":{"rendered":"<p>A critical remote code execution vulnerability has been discovered in the popular web application framework <a href=\"https:\/\/struts.apache.org\/\">Apache Struts<\/a>, which allows attackers to execute an arbitrary code. To address this issue, Apache Struts has issued a security <a href=\"https:\/\/struts.apache.org\/docs\/s2-052.html\">advisory<\/a> and <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-9805\">CVE-2017-9805<\/a> has been assigned to it. The attacker may use this vulnerability to target organizations across the globe. Web applications running on Apache Struts framework which uses <a href=\"https:\/\/struts.apache.org\/docs\/rest-plugin.html\">REST<\/a> (Representational State Transfer) plugin are affected by this vulnerability.<\/p>\n<p><strong>Vulnerable versions<\/strong><\/p>\n<ul>\n<li>Struts 2.5 &#8211; Struts 2.5.12<\/li>\n<\/ul>\n<p><strong>Vulnerability <\/strong><\/p>\n<p>The root cause of this vulnerability lies in handling of deserializes input data by the REST plugin of Apache Struts application. This vulnerability allows remote attackers to perform a remote code execution by sending crafted POST request. The attackers can embed commands into vulnerable field of POST request body. The vulnerability is triggered while processing a crafted POST request having header \u2018Content-Type\u2019 set to \u2018application\/xml\u2019.<\/p>\n<p>We reproduced the vulnerability by using a readily available Metasploit compatible <a href=\"https:\/\/github.com\/rapid7\/metasploit-framework\/pull\/8924\/files\">POC<\/a>.\u00a0 Below is the traffic captured denoting the crafted POST request which triggers the vulnerability.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-84777\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/09\/Fig_1_1-650x44.jpg\" alt=\"fig_1_1\" width=\"650\" height=\"44\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/Fig_1_1-650x44.jpg 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/Fig_1_1-300x20.jpg 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/Fig_1_1-768x52.jpg 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/Fig_1_1-789x54.jpg 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/Fig_1_1.jpg 1361w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><\/p>\n<figure id=\"attachment_84778\" aria-describedby=\"caption-attachment-84778\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-84778\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/09\/Fig_1_2-650x309.jpg\" alt=\"Fig 1. Vulnerability Trigger\" width=\"650\" height=\"309\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/Fig_1_2-650x309.jpg 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/Fig_1_2-300x143.jpg 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/Fig_1_2-768x365.jpg 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/Fig_1_2-789x375.jpg 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/Fig_1_2.jpg 871w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-84778\" class=\"wp-caption-text\">Fig 1. Vulnerability Trigger<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_84779\" aria-describedby=\"caption-attachment-84779\" style=\"width: 650px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-84779\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/09\/Fig3-650x121.jpg\" alt=\"Fig 2. Payload drop at \/tmp location on server\" width=\"650\" height=\"121\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/Fig3-650x121.jpg 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/Fig3-300x56.jpg 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/09\/Fig3.jpg 730w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-84779\" class=\"wp-caption-text\">Fig 2. Payload drop at \/tmp location on server<\/figcaption><\/figure>\n<p><strong>Quick Heal detection<\/strong><\/p>\n<p>Quick Heal has released the following IPS detection for the vulnerability <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-9805\" target=\"_blank\">CVE-2017-9805<\/a>.<\/p>\n<ul>\n<li>VID-03103: Apache Struts Remote Command Execution<\/li>\n<\/ul>\n<p>This critical vulnerability has been patched by Apache Struts. We strongly recommend users to upgrade their Apache Struts installation to\u00a0<a href=\"https:\/\/cwiki.apache.org\/confluence\/display\/WW\/Version+Notes+2.3.34\">2.3.34<\/a>\u00a0and\u00a0<a href=\"https:\/\/cwiki.apache.org\/confluence\/display\/WW\/Version+Notes+2.5.13\">2.5.13<\/a>\u00a0as per the advisory and also apply the latest security updates by Quick Heal.<\/p>\n<p><strong>References<\/strong><\/p>\n<p><a href=\"https:\/\/lgtm.com\/blog\/apache_struts_CVE-2017-9805\">https:\/\/lgtm.com\/blog\/apache_struts_CVE-2017-9805<\/a><u><br \/>\n<\/u><a href=\"https:\/\/struts.apache.org\/docs\/s2-052.html\">https:\/\/struts.apache.org\/docs\/s2-052.html<\/a><u><br \/>\n<\/u><a href=\"https:\/\/github.com\/rapid7\/metasploit-framework\/pull\/8924\/files\">https:\/\/github.com\/rapid7\/metasploit-framework\/pull\/8924\/files<\/a><\/p>\n<p><strong>Also Read: <\/strong><a href=\"https:\/\/blogs.quickheal.com\/cve-2017-5638-apache-struts-2-remote-code-execution-vulnerability\/\" target=\"_blank\">CVE-2017-5638 \u2013 Apache Struts 2 Remote Code Execution Vulnerability\u00a0<\/a><\/p>\n<p><strong>Subject Matter Experts<\/strong><\/p>\n<ul>\n<li>Aniruddha Dolas, Pallavi Pangavhane<strong> | <\/strong>Quick Heal Security Labs<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>A critical remote code execution vulnerability has been discovered in the popular web application framework Apache Struts, which allows attackers to execute an arbitrary code. To address this issue, Apache Struts has issued a security advisory and CVE-2017-9805 has been assigned to it. The attacker may use this vulnerability to target organizations across the globe. [&hellip;]<\/p>\n","protected":false},"author":31,"featured_media":84782,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[133,24],"tags":[1492,1327,1491,892,38],"class_list":["post-84776","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacker","category-malware","tag-apache-struts","tag-cve","tag-cve-2017-9805","tag-security-patch-2","tag-vulnerability"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84776"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/31"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=84776"}],"version-history":[{"count":4,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84776\/revisions"}],"predecessor-version":[{"id":84785,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84776\/revisions\/84785"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/84782"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=84776"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=84776"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=84776"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}