CVE-2017-9805 – Apache Struts 2 Remote Code Execution Vulnerability by Quick Heal Security Labs

Credit to Author: Pradeep Kulkarni| Date: Thu, 07 Sep 2017 09:06:18 +0000

A critical remote code execution vulnerability has been discovered in famous web application framework Apache Struts, which allows attackers to execute arbitrary code. To address this issue, Apache Struts has issued a security advisory and CVE-2017-9805 has been assigned to it. The attacker may use this vulnerability to target organizations across the globe. Web applications running on Apache Struts framework which uses REST (Representational State Transfer) plugin are affected by this vulnerability. Vulnerable Versions Struts 2.5 – Struts 2.5.12 Vulnerability The root cause of this vulnerability lies in handling of deserializes input data by REST plugin of Apache Struts application. This vulnerability allows remote attackers to perform remote code execution by sending crafted POST request. Attackers can embed commands into vulnerable field of POST request body. The vulnerability is triggered while processing a crafted POST request having header ‘Content-Type’ set to ‘application/xml’. We reproduced the vulnerability by using readily available Metasploit compatible POC.  Below is the traffic capture denoting crafted POST request which triggers the vulnerability. Fig 1. Vulnerability Trigger   Fig 2. Payload drop at /tmp location on server Quick Heal Detections Quick Heal has released the following IPS detection for the vulnerability CVE-2017-9805. VID-03103: Apache Struts Remote Command Execution This critical vulnerability is patched by Apache Struts. We strongly recommend users to upgrade their Apache Struts installation to 2.3.34 and 2.5.13 as per the advisory and also apply the latest security updates by Quick Heal. References https://lgtm.com/blog/apache_struts_CVE-2017-9805 https://struts.apache.org/docs/s2-052.html https://github.com/rapid7/metasploit-framework/pull/8924/files Also Read http://blogs.quickheal.com/cve-2017-5638-apache-struts-2-remote-code-execution-vulnerability/ Subject Matter Experts Aniruddha Dolas, Pallavi Pangavhane | Quick Heal Security Labs The post CVE-2017-9805 – Apache Struts 2 Remote Code Execution Vulnerability by Quick Heal Security Labs appeared first on Quick Heal Technologies Security Blog | Latest computer security news, tips, and advice.
http://blogs.quickheal.com/feed/