Classloader vulnerability reproducing procedure in struts 1.1

Question

In Struts1, I heard that there is a classloader vulnerability issue which is cause by CVE-2014-0114. But I am unable to reproduce this respect to my project. Can anyone help me how to reproduce this issue. I googled but not get any procedure of reproducing.

I am using struts-1.1, Jboss -4.2.3.GA, Apache 2.2.0, MySql 5.0.37, JKMod, JDK 1.6.0_12, Ant 1.7.0 for my web project.

Answer 1

Something like this works to test (in code at least)

      try {
        PropertyUtils.getNestedProperty(this, "class");
        Logger.error(this, "SECURITY ISSUE- `class` attribute NOT DISABLED for BeanUtil introspection, See: CVE-2014-0114 ");
      } catch (java.lang.NoSuchMethodException nse) {
        Logger.info(this, "`class` is disabled as a property for introspection in struts for security");
      } catch (Exception e) {
        Logger.warn(this, e.getMessage(), e);
      }

Answer 2

Further to the solutions above I wanted to point out that adding a breakpoint in the ClassLoader at the line defaultAssertionStatus = enabled; within setDefaultAssertionStatus and a watcher at the line private boolean defaultAssertionStatus = false; is a great way of verifying if the above url modification: ?class.classLoader.defaultAssertionStatu‌​s=true has worked your defaultAssertionStatus should now be true.

Hope this helps!

Answer 3

A Metasploit-based exploit is available on GitHub: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_classloader.rb and also at http://downloads.securityfocus.com/vulnerabilities/exploits/65999.rb. See http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader for reference.

Answer 4

I have tried in more than 2 ways to reproducing purpose. It works fine.

1. http://127.0.0.1:8080/MyFormGroupEditSection.do?com.macao.DelphyHacker.Marathonclass.marathonId=34&groupId=862
2. http://127.0.0.1:8080/MyFormGroupEditSection.do?class.classLoader=true&groupId=862

For solution purpose of this problem, I want to add some comments. You can follow this 2 links. Hopefully, it will help you to eradicate this problem.

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2J7xeaSxro

http://mail-archives.apache.org/mod_mbox/struts-announcements/201405.mbox/%3C53629980.8060805%40apache.org%3E

Answer 5

Try to invoke a URL which is mapped to a struts action (backed by an action form). The framework will try to populate your form bean from query parameters. So if you have a query parameter like ?class.classLoader.defaultAssertionStatus=true, it translates to formBean.getClass().getClassLoader().setDefaultAssertionStatus(true).

If you have enabled debug logging, you would see the following messages:

2014-05-05 12:57:50,238 DEBUG [org.apache.struts.action.RequestProcessor]  Populating bean properties from this request
2014-05-05 12:57:50,238 DEBUG [org.apache.commons.beanutils.BeanUtils] BeanUtils.populate(com.xxx.struts.demo.web.form.SimpleForm@71909bc, {class.classLoader.defaultAssertionStatus=[Ljava.lang.String;@a6b23fd4})
2014-05-05 12:57:50,238 DEBUG [org.apache.commons.beanutils.BeanUtils]   setProperty(com.xxx.struts.demo.web.form.SimpleForm@71909bc, class.classLoader.defaultAssertionStatus, [true])
2014-05-05 12:57:50,246 DEBUG [org.apache.commons.beanutils.BeanUtils]     Target bean = com.ibm.ws.classloading.internal.AppClassLoader@3ac10955
2014-05-05 12:57:50,246 DEBUG [org.apache.commons.beanutils.BeanUtils]     Target name = defaultAssertionStatus
2014-05-05 12:57:50,250 DEBUG [org.apache.commons.beanutils.ConvertUtils] Convert string 'true' to class 'boolean'
2014-05-05 12:57:50,250 DEBUG [org.apache.commons.beanutils.ConvertUtils]   Using converter org.apache.commons.beanutils.converters.BooleanConverter@de2943ef
2014-05-05 12:57:50,250 DEBUG [org.apache.commons.beanutils.PropertyUtils] setSimpleProperty: Invoking method public void java.lang.ClassLoader.setDefaultAssertionStatus(boolean) with value true (class java.lang.Boolean)