Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Struts vulnerability patch released by apache, patch now SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Struts vulnerability patch released by apache, patch now

UPDATE2: a Metasploit module has been released. Some limited workarounds may be available. Otherwise patch now!

UPDATE: a link to a working exploit has been seen. As of yet no IDS or WAF signatures/rules have been posted. (2017/09/05 20:30h EDT)

Anyone using Struts 2 should immediately upgrade to Struts 2.5.13 due to a  remote code execution vulnerability. It has been assigned CVE-2017-9805 and a detailed technical writeup is available here: https://lgtm.com/blog/apache_struts_CVE-2017-9805_announcement.

A work around would be to disable access to the REST API used by Struts as it does not correctly deserialize objects when invoked. 

Every once in a while along comes a vulnerability that should cause you to consider actually updating the platform your application runs on! Now that the patch is available it will not be long before a working exploit is out in the wild. 

Cheers,
Adrien de Beaupré, SANS Instructor and Co-author of #SEC642
Intru-shun.ca Inc.

 Adrien de Beaupre

353 Posts
ISC Handler
Subscribe Sep 6th 2017
2 years ago
Johannes mentioned disabling REST to mitigate exploitation. Has anyone confirmed this is effective with the public exploit code available? I'm not an Apache Struts admin but quick searches did not identify how to disable this. Any help with a link or steps on disabling would be greatly appreciated.
 Anonymous
Quote Sep 6th 2017
2 years ago
I believe that you can modify the configuration to restrict REST by setting the struts-plugin.xml value:
<constant name="struts.action.extension" value="xhtml,,json" />
as per: struts.apache.org/docs/…
and
struts.apache.org/docs/…

Can anyone validate, I do not have access to a Struts 2 install at the moment.
Can you remove the struts2-rest-plugin.jar file?

Cheers,
Adrien
 Adrien de Beaupre

353 Posts
ISC Handler
Quote Sep 6th 2017
2 years ago
I saw an attempt on my website, posted details here: blog.nviso.be/2017/09/07/active-exploitation-of-struts-vulnerability-s2-052-cve-2017-9805/

Ping me if you want the pcap.
 DidierStevens

403 Posts
ISC Handler
Quote Sep 7th 2017
2 years ago
Yes please -> handlers@isc.sans.edu
 Adrien de Beaupre

353 Posts
ISC Handler
Quote Sep 8th 2017
2 years ago
I would like to see the pcap file please kwestin@gmail.com

Thank You
 Anonymous
Quote Sep 13th 2017
2 years ago

Sign Up for Free or Log In to start participating in the conversation!