Detecting Apache Struts2 Namespace Redirect OGNL Injection Vulnerability

LUA C0ding

Here is another Nmap NSE script I wrote to detect this vulnerability. The script is very simple, I send a simple math operand ${1+1} in a vulnerable url, eg. http://victim.com/${1+1}/help.action and if the host replies with a Header "Location: /2/help.action" that means this host is vulnerable.  For this script, I generated random digits and sum it up, if the resulting 302 Redirect sum matches in the  Location header, then it's a vulnerable host.

There are a few exploits in the wild for this vulnerability but none written for Nmap NSE Enumeration. I'm pretty sure this sort of code will be useful for other pen-testers out there. I had submitted it to Github via a Pull Request, lets see if my code makes it to the master branch soon. The output of a positive detection is as follows:

$ sudo nmap --script ./http-vuln-cve2018-11776 127.0.0.1 -p 8080 -n --script-args url=/
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-07 00:37 +08
Nmap scan report for 127.0.0.1
Host is up (0.000090s latency).

PORT     STATE SERVICE
8080/tcp open  http-proxy
| http-vuln-cve2018-11776: 
|   VULNERABLE:
|   Apache Struts 2 Namespace Redirect OGNL Injection
|     State: VULNERABLE
|     IDs:  CVE:CVE-2018-11776
|       Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true 
|       (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard 
|       namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no 
|       or wildcard namespace. 
|           
|     Disclosure date: 2018-08-22
|     References:
|       https://github.com/hook-s3c/CVE-2018-11776-Python-PoC
|       https://lgtm.com/blog/apache_struts_CVE-2018-11776
|       https://cwiki.apache.org/confluence/display/WW/S2-057
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds

Reverse Engineering

When writing this NSE script, I took a lot of ideas from exploit scripts available in the wild. Firstly, for testing purposes, I downloaded a vulnerable docker image for struts and got it running:

$ sudo docker container run -it --rm -p 8080:8080 struts2
$ sudo docker container ls
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS                    NAMES
3ff6c242970b        struts2             "catalina.sh run"   9 seconds ago       Up 8 seconds        0.0.0.0:8080->8080/tcp   nifty_varahamihira

Then I ran a couple of exploits and detection scripts to reverse engineer the code and using Wireshark to analyse the HTTP traffic.

$ ./exploitS2-057-test.py http://127.0.0.1:8080/showcase.action
testing the url for exploit; http://127.0.0.1:8080/${16074+35045}/help.action
URL http://127.0.0.1:8080/showcase.action s2-057 CVE-2018-11776 is vulnerable!

Putting It Together

Once I have an understanding of how the exploits work, it was just a matter of porting it to LUA scripting language, which I know jack shit! So it took me a few hours of hacking to get a dirty code up and running.