HPE Software is now Micro Focus
HPE Software is now Micro Focus
Security Research

Finding Struts2 S2-052 with Fortify SCA

Finding Struts2 S2-052 with Fortify SCA


Another month, another Struts2 remote code execution (RCE) vulnerability (CVE-2017-9805). However, this time the attack vector does not involve any arbitrary OGNL expression evaluations but an unsafe deserialization.

Possible Remote Code Execution attack when using the Struts REST plugin with XStream handler to handle XML payloads

The vulnerability is located in the REST plugin code so only users of this plugin would be affected. This is not the first time the a Remote Code Execution vulnerability is reported on the Struts2 REST plugin. We reported S2-033 and few months later S2-037 was also reported, however this time the vulnerability was echoed by the major InfoSec media sites.

According to the researchers that reported the issue the vulnerability is in the XStreamHandler class which performs an unprotected deserialization of data coming from the request bodyPicture1.png

source: https://github.com/apache/struts/blob/c2aeaf2eadb6ac5bbd64b5c2646a96d0f14265bd/plugins/rest/src/main/java/org/apache/struts2/rest/handler/XStreamHandler.java#L46

It was not clear in the original write-up where the controllable data was coming from so, since Fortify SCA supports XStream, I decided to take a look and see what SCA was reporting. Configuring the project was quick and easy. I made sure we had all dependencies by fetching them with "mvn dependency:copy-dependencies" and then kick started the scan. The scan completed in less than a minute and there it was:

Picture2.pngNo custom rules were needed since the source of taint is coming from the standard servlet request class.


The dataflow taint trace was short and began at ContentTypeInterceptor, which is an interceptor registered by default in the Struts2 interceptor stack (when running the REST plugin). The contents of the request body are read and sent to the appropriate handler which is chosen depending on the content-type of the request.Picture4.png

source: https://github.com/apache/struts/blob/c2aeaf2eadb6ac5bbd64b5c2646a96d0f14265bd/plugins/rest/src/main/java/org/apache/struts2/rest/ContentTypeInterceptor.java#L60

The dataflow is followed by the SCA taint analyzer which returns the diagram leading to the vulnerability: 


Ultimately, this RCE vulnerability in the REST plugin for Struts2 again reminds us all that dependencies need to be scanned and reviewed on a regular basis.  The affected versions are Struts 2.1.2 - Struts 2.3.33, Struts 2.5 - Struts 2.5.12. Make sure to upgrade to Apache Struts version 2.5.13 or 2.3.34.


Stay secure,

Alvaro Muñoz (@pwntester)

Micro Focus Software Security Research









0 Kudos
About the Author


Filter by Labels