Struts 2 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/struts-2/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 05 Jan 2024 18:22:00 +0000Apache Struts CVE-2023-50164 Exploitation Leading to Web Shell Deploymenthttps://feed.craftedsignal.io/briefs/2024-01-apache-struts-cve-2023-50164-webshell/Fri, 05 Jan 2024 18:22:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-apache-struts-cve-2023-50164-webshell/Exploitation of CVE-2023-50164, a critical path traversal vulnerability in Apache Struts 2, is detected by identifying malicious multipart/form-data POST requests with WebKitFormBoundary targeting Struts .action upload endpoints, followed by JSP web shell creation in Tomcat's webapps directories, indicating remote code execution.CVE-2023-50164 is a critical path traversal vulnerability affecting Apache Struts 2 versions prior to 2.5.33 or 6.3.0.2. The vulnerability resides in the file upload functionality, allowing attackers to manipulate file upload parameters and write malicious files, such as JSP web shells, to arbitrary locations on the web server. Successful exploitation leads to remote code execution. Detection focuses on correlating suspicious file upload requests to Struts endpoints with subsequent creation of JSP files in web-accessible directories, indicating successful exploitation. The attack involves crafting malicious multipart/form-data POST requests with WebKitFormBoundary to Struts .action upload endpoints.

Attack Chain

  1. The attacker sends a malicious HTTP POST request to a vulnerable Apache Struts endpoint (e.g., *.action).
  2. The HTTP POST request contains a multipart/form-data content type with a WebKitFormBoundary string.
  3. The request exploits CVE-2023-50164, leveraging a path traversal vulnerability in the file upload process.
  4. The attacker bypasses security controls due to the path traversal vulnerability.
  5. The attacker uploads a malicious JSP file (web shell) to a web-accessible directory, such as Tomcat’s webapps directory.
  6. A Java process (e.g., Tomcat) creates the JSP web shell file in the webapps directory.
  7. The attacker accesses the deployed web shell via HTTP.
  8. The attacker executes arbitrary commands on the server through the web shell.

Impact

Successful exploitation of CVE-2023-50164 allows attackers to achieve remote code execution on the affected server. This can lead to complete system compromise, data exfiltration, deployment of malware, and lateral movement within the network. The vulnerability affects Apache Struts 2 applications using the file upload feature, potentially impacting numerous organizations across various sectors using the framework.

Recommendation

  • Deploy the Sigma rule “Apache Struts CVE-2023-50164 Webshell Creation” to detect JSP file creation events in webapps directories following suspicious POST requests as described in the overview.
  • Deploy the Sigma rule “Apache Struts CVE-2023-50164 Suspicious POST Request” to detect suspicious POST requests to Struts endpoints with multipart/form-data content containing WebKitFormBoundary, as indicated in the Attack Chain.
  • Patch Apache Struts 2 to version 2.5.33, 6.3.0.2, or higher to remediate the CVE-2023-50164 vulnerability, as noted in the References.
  • Enable HTTP request body capture in network traffic monitoring tools to detect the multipart/form-data content containing WebKitFormBoundary indicators, as required by the rule setup.
]]>highadvisoryapache-strutswebshellcve-2023-50164initial-accesspersistencecommand-and-control