Apache Struts is a widely used open-source component in web applications. However, these same benefits and Struts’ integration with other frameworks can make upgrades and patches challenging. A remote code execution vulnerability exists in the REST (representational state transfer) plugin, which uses XStreamHandler to insecurely deserialize user-supplied input in XML requests.
An unauthenticated remote attacker can exploit this and execute arbitrary code, via a specially crafted XML request. In this article I explain how an attacker might exploit this Apache Struts vulnerability to obtain root access to the host operating system.
A search for Apache Struts in Shodan.io reveals 7,455 computers running the application today online, primarily in the US and China. It is unlikely that they have all been patched for this vulnerability and many are probably still vulnerable to attack despite the potentially disastrous consequences. This vulnerability has been exploited in the past, exposing the data for millions of customers.
Figure 1: Shodan Results for Apache Struts Search
In the following pen test tutorial, we use the Armitage Metasploit GUI platform to enumerate a Unix target, identify the vulnerability, select an exploit, obtain code execution, and gain full control over the target server.
Armitage is an open-source GUI front-end to the Metasploit Framework that some pentesters favor over even the professional version of Metasploit due to its many useful features and easy integration with other tools. It was developed by Raphael Mudge, the creator of Cobalt Strike. But enough background! Let’s do some ethical hacking!
1. We start by running a quick Intense Scan with Nmap and identify three open ports with running services:
- 22/tcp OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
- 8009/tcp ajp13 Apache Jserv (Protocol v1.3)
- 8080/tcp Apache Tomcat 9.0.0.M26
Figure 2: Nmap Scan Results
2. Apache Tomcat is one of the most popular web server and servlet containers for Java code such as Struts 2. We notice the Apache Tomcat 9.0.0.M26 configuration as possibly affected, so we run an Nmap script to confirm that the system is vulnerable.
nmap -p 8080 –script http-vuln-cve2017-5638 –script-args path=/struts2-rest-showcase/orders/3 192.168.1.106
We confirm that we have a vulnerable application (see Figure 3 below).
Figure 3: Nmap confirms the vulnerability.
3. With a path to the vulnerable application “/struts2-rest-showcase/orders/3” we search Armitage for applicable exploits and choose: struts2_rest_xtream.
Figure 4: Struts2 Exploits
Apache Struts versions 2.1.2 – 2.3.33 and Struts 2.5 – Struts 2.5.12, using the REST plugin, are vulnerable to a Java deserialization attack in the XStream library.
4. We configure our exploit and prepare to launch the attack.
Figure 5: Exploit Configuration
5. We execute the exploit by clicking on Launch.
Figure 6: We launch the exploit and get a bind shell on the target.
6. We open an interactive shell and confirm that we are the root user by dumping the shadow password file (see Figure 7 below).
Figure 7: Shadow password file dumped with root privileges.
We now have full operational control of the operating system! We own the server! A real attacker could then change the root password to lock out the administrator, use the platform to launch attacks against other systems, deface the website, extract password hashes for off-line cracking and any other data of value, or simply shut down the system.
Are you vulnerable to this and similar exploits? What is your level of confidence in your security controls? Only a penetration test, executed by a skilled ethical hacker, can answer that question with certainty. Don’t be the next victim of a breach, have your systems pentested on a regular basis.
