{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2023-50164/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2023-50164"}],"_cs_exploited":false,"_cs_products":["Struts 2"],"_cs_severities":["high"],"_cs_tags":["apache-struts","webshell","cve-2023-50164","initial-access","persistence","command-and-control"],"_cs_type":"advisory","_cs_vendors":["Apache"],"content_html":"\u003cp\u003eCVE-2023-50164 is a critical path traversal vulnerability affecting Apache Struts 2 versions prior to 2.5.33 or 6.3.0.2. The vulnerability resides in the file upload functionality, allowing attackers to manipulate file upload parameters and write malicious files, such as JSP web shells, to arbitrary locations on the web server. Successful exploitation leads to remote code execution. Detection focuses on correlating suspicious file upload requests to Struts endpoints with subsequent creation of JSP files in web-accessible directories, indicating successful exploitation. The attack involves crafting malicious multipart/form-data POST requests with WebKitFormBoundary to Struts .action upload endpoints.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a malicious HTTP POST request to a vulnerable Apache Struts endpoint (e.g., \u003ccode\u003e*.action\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe HTTP POST request contains a \u003ccode\u003emultipart/form-data\u003c/code\u003e content type with a \u003ccode\u003eWebKitFormBoundary\u003c/code\u003e string.\u003c/li\u003e\n\u003cli\u003eThe request exploits CVE-2023-50164, leveraging a path traversal vulnerability in the file upload process.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses security controls due to the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious JSP file (web shell) to a web-accessible directory, such as Tomcat\u0026rsquo;s \u003ccode\u003ewebapps\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eA Java process (e.g., Tomcat) creates the JSP web shell file in the webapps directory.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the deployed web shell via HTTP.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the server through the web shell.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2023-50164 allows attackers to achieve remote code execution on the affected server. This can lead to complete system compromise, data exfiltration, deployment of malware, and lateral movement within the network. The vulnerability affects Apache Struts 2 applications using the file upload feature, potentially impacting numerous organizations across various sectors using the framework.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Apache Struts CVE-2023-50164 Webshell Creation\u0026rdquo; to detect JSP file creation events in webapps directories following suspicious POST requests as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Apache Struts CVE-2023-50164 Suspicious POST Request\u0026rdquo; to detect suspicious POST requests to Struts endpoints with \u003ccode\u003emultipart/form-data\u003c/code\u003e content containing \u003ccode\u003eWebKitFormBoundary\u003c/code\u003e, as indicated in the Attack Chain.\u003c/li\u003e\n\u003cli\u003ePatch Apache Struts 2 to version 2.5.33, 6.3.0.2, or higher to remediate the CVE-2023-50164 vulnerability, as noted in the References.\u003c/li\u003e\n\u003cli\u003eEnable HTTP request body capture in network traffic monitoring tools to detect the multipart/form-data content containing WebKitFormBoundary indicators, as required by the rule setup.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-05T18:22:00Z","date_published":"2024-01-05T18:22:00Z","id":"/briefs/2024-01-apache-struts-cve-2023-50164-webshell/","summary":"Exploitation of CVE-2023-50164, a critical path traversal vulnerability in Apache Struts 2, is detected by identifying malicious multipart/form-data POST requests with WebKitFormBoundary targeting Struts .action upload endpoints, followed by JSP web shell creation in Tomcat's webapps directories, indicating remote code execution.","title":"Apache Struts CVE-2023-50164 Exploitation Leading to Web Shell Deployment","url":"https://feed.craftedsignal.io/briefs/2024-01-apache-struts-cve-2023-50164-webshell/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2023-50164","version":"https://jsonfeed.org/version/1.1"}