Page History

Showcase app vulnerability allows remote command execution

{code}
# submit the form

The issue, in order to work, need a redirect result defined as the following:
{code}
<action name="save" class="org.apache.struts2.showcase.action.SkillAction" method="save">
    <result type="redirect">edit.action?skillName=${currentSkill.name}</result>
</action>
{code}    

h2. Solution

The regex pattern inside the ParameterInterceptor was changed to provide a more narrow space of acceptable parameter names. 
Furthermore the new setParameter method provided by the value stack will allow no more eval expression inside the param names.


{warning}
*It is strongly recommended to upgrade to [Struts 2.3.1.2|http://struts.apache.org/download.cgi#struts2312], which contains the corrected OGNL and XWork library.*
{warning}

In case an upgrade isn't possible in a particular environment, there is a configuration based mitigation workaround:

h3. Possible Mitigation Workaround: Configure ParametersIntercptor in struts.xml to Exclude Malicious Parameters

The following additional interceptor-ref configuration should mitigate the problem when applied correctly, allowing only simple navigational expression:
{code}
<interceptor-ref name="params">
	<param name="acceptParamNames">\w+((\.\w+)|(\[\d+\])|(\['\w+'\]))*</param>
</interceptor-ref>
{code}
{note:title}
Beware that the above pattern breaks [the type conversion support for collection and map|http://struts.apache.org/2.3.1.1/docs/type-conversion.html#TypeConversion-CollectionandMapSupport] (those parameter names should be attached to acceptParamNames variable).
For this configuration to work correctly, it has to be applied to *any params interceptor ref in any stack an application is using*.
E.g., if an application is configured to use defaultStack as well as paramsPrepareParamsStack, you should copy both stack definitions from struts-default.xml to the application's struts.xml config file and apply the described excludeParams configuration for each params interceptor ref, that is *once for defaultStack and twice for paramsPrepareParamsStack*
{note}

public void testUnsecureRedirect() {
    final String pwnDir = "/tmp/PWNAGE";
    final Map<String, String> fakeAction = new HashMap<String, String>() {
        {
            put("skillName", "%{(#context['xwork.MethodAccessor.denyMethodExecution']=false)(#_memberAccess['allowStaticMethodAccess']=true)(@java.lang.Runtime@getRuntime().exec('mkdir " + pwnDir + "'))}");
        }
    };

    String location = "/context/edit.action?skillName=true";
    responseMock.expectAndReturn("encodeRedirectURL", C.anyArgs(1), location);
    responseMock.expect("sendRedirect", C.args(C.eq(location)));
    requestMock.expectAndReturn("getAttribute", C.args(C.eq("javax.servlet.include.servlet_path")), location);

    ValueStack stack = ai.getStack();
    stack.push(fakeAction);

    view.setLocation("edit.action?skillName=${skillName}");
    view.setParse(true);


    try {
        view.execute(ai);

        requestMock.verify();

        File pwn = new File(pwnDir);
        boolean exists = pwn.exists();
        FileUtils.deleteDirectory(pwn);
        assertFalse("Remote exploit: The PWN folder has been created", exists);

        Object dme = stack.getContext().get("xwork.MethodAccessor.denyMethodExecution");

        assertTrue("DenyMethodExecution has been disabled", dme == null || BooleanUtils.toBoolean(dme.toString()));

    } catch (Exception e) {
        e.printStackTrace();
        fail();
    }
}

It is strongly recommended to upgrade to Struts 2.3.14.3, which contains the corrected OGNL and XWork library.