Jump to content
Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
NickTheGreek

New Apache Struts Zero-Day Vulnerability Being Exploited in the Wild

Recommended Posts

New Apache Struts Zero-Day Vulnerability Being Exploited in the Wild

 

 

 

 

 

 

 

 

 

 

 

 

Security researchers have discovered a Zero-Day vulnerability in the popular Apache Struts web application framework, which is being actively exploited in the wild.

Apache Struts is a free, open-source, Model-View-Controller (MVC) framework for creating elegant, modern Java web applications, which supports REST, AJAX, and JSON.

In a blog post published Monday, Cisco's Threat intelligence firm Talos announced the team observed a number of active attacks against the zero-day vulnerability (CVE-2017-5638) in Apache Struts.

According to the researchers, the issue is a remote code execution vulnerability in the Jakarta Multipart parser of Apache Struts that could allow an attacker to execute malicious commands on the server when uploading files based on the parser.

"It is possible to perform an RCE attack with a malicious Content-Type value," warned Apache. "If the Content-Type value isn't valid an exception is thrown which is then used to display an error message to a user."
The vulnerability, documented at Rapid7's Metasploit Framework GitHub site, has been patched by Apache. So, if you are using the Jakarta-based file upload Multipart parser under Apache Struts 2, you are advised to upgrade to Apache Struts version 2.3.32 or 2.5.10.1 immediately.
 

Exploit Code Publicly Released


Since the Talos researchers detected public proof-of-concept (PoC) exploit code (which was uploaded to a Chinese site), the vulnerability is quite dangerous.

The researchers even detected "a high number of exploitation events," the majority of which seem to be leveraging the publicly released PoC that is being used to run various malicious commands.

apache-exploit-code

 

 

 

 

 

 

In some cases, the attackers executed simple "whoami" commands to see if the target system is vulnerable, while in others, the malicious attacks turned off firewall processes on the target and dropped payloads.

apache-exploit
 
 
 
 
 
 
 
"Final steps include downloading a malicious payload from a web server and execution of said payload," the researchers say. "The payloads have varied but include an IRC bouncer, a DoS bot, and a sample related to the Bill Gates botnet... A payload is downloaded and executed from a privileged account."

Attackers also attempted to gain persistence on infected hosts by adding a binary to the boot-up routine.

According to the researchers, the attackers tried to copy the file to a benign directory and ensure "that both the executable runs and that the firewall service will be disabled when the system boots."

Both Cisco and Apache researchers urge administrators to upgrade their systems to Apache Struts version 2.3.32 or 2.5.10.1 as soon as possible. Admins can also switch to a different implementation of the Multipart parser.

 

http://thehackernews.com/2017/03/apache-struts-framework.html

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×