Exploit attempts inspired by recent Struts2 File Upload Vulnerability (CVE-2024-53677, CVE-2023-5016

[Exploit attempts inspired by recent Struts2 File Upload Vulnerability (CVE-2024-53677, CVE-2023-50164)](/forums/diary/Exploit+attempts+inspired+by+recent+Struts2+File+Upload+Vulnerability+CVE202453677+CVE202350164/31520/)==============================================================================================================================================================================================================================* * [](http://www.facebook.com/sharer.php?u=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F31520 ‘Share on Facebook’)* [](http://twitter.com/share?text=Exploit%20attempts%20inspired%20by%20recent%20Struts2%20File%20Upload%20Vulnerability%20%28CVE-2024-53677%2C%20CVE-2023-50164%29&url=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F31520&via=SANS_ISC ‘Share on Twitter’) **Published** : 2024-12-15. **Last Updated** : 2024-12-15 18:02:44 UTC **by** [Johannes Ullrich](https://plus.google.com/101587262224166552564?rel=author) (Version: 1) [0 comment(s)](/diary/Exploit+attempts+inspired+by+recent+Struts2+File+Upload+Vulnerability+CVE202453677+CVE202350164/31520/#comments) ![](https://isc.sans.edu/diaryimages/images/Screenshot%202024-12-15%20at%2012_51_34%E2%80%AFPM.png)Last week, Apache announced a vulnerability in Struts2 -[1-]. The path traversal vulnerability scored 9.5 on the CVSS scale. If exploited, the vulnerability allows file uploads into otherwise restricted directories, which may lead to remote code execution if a webshell is uploaded and exposed in the web root. I call the exploit attempts below ‘inspired’ by this vulnerability. There are at least two vulnerabilities that could be targeted. I do not have a vulnerable system to test if the exploit will work.Patching this vulnerability is not quite as straightforward as it should be. Apache points out:> This change isn’t backward compatible as you must rewrite your actions to start using the new Action File Upload mechanism and related interceptor. Keep using the old File Upload mechanism keeps you vulnerable to this attack.The vulnerability, CVE-2024-53677, appears to be related to CVE-2023-50164. The older vulnerability is similar, and an incomplete patch may have led to the newer issue. PoC exploits have been released (see, for example, -[2-]). And we are seeing active exploit attempts for this vulnerability that match the PoC exploit code. At this point, the exploit attempts are attempting to enumerate vulnerable systems:> POST /actionFileUpload HTTP/1.1 > Host: -[honeypot IP address-]:8090 > User-Agent: python-requests/2.32.3 > Accept-Encoding: gzip, deflate, zstd > Accept: -*/-* > Connection: keep-alive > Content-Length: 222 > Content-Type: multipart/form-data; boundary=0abcfc26e3fa0afbd6db1ba369dfcc37>>
>> –0abcfc26e3fa0afbd6db1ba369dfcc37 > Content-Disposition: form-data; name=’file’; filename=’exploit.jsp’ > Content-Type: application/octet-stream >> – > –0abcfc26e3fa0afbd6db1ba369dfcc37–This attempt uploads a one-liner script that is supposed to return ‘Apache Struts’. Next, the attacker attempts to find the uploaded script. The exploit attempt is very close to the original PoC. Since then, a slightly improved exploit has been uploaded to the same GitHub repository.> GET /actionFileUpload/exploit.jsp HTTP/1.1 > Host: -[honeypot IP-]:8090 > User-Agent: python-requests/2.32.3 > Accept-Encoding: gzip, deflate, zstd > Accept: -*/-* > Connection: keep-aliveSo far, the scans originate only from [169.150.226.162](/ipinfo.html?ip=169.150.226.162), an IP address that started scanning yesterday, initially for simple URLs like ‘/’ and ‘/cbs’ (likely another upload vulnerability).-[1-] https://cwiki.apache.org/confluence/display/WW/S2-067 -[2-] https://github.com/TAM-K592/CVE-2024-53677-S2-067— Johannes B. Ullrich, Ph.D. , Dean of Research, [SANS.edu](https://sans.edu) [Twitter](https://jbu.me/164)-| Keywords: [struts](/tag.html?tag=struts) [struts2](/tag.html?tag=struts2) [fileupload](/tag.html?tag=fileupload)[0 comment(s)](/diary/Exploit+attempts+inspired+by+recent+Struts2+File+Upload+Vulnerability+CVE202453677+CVE202350164/31520/#comments)

Related Tags:
NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 51 – Information

CVE-2023-50164

Blog: SANS Internet Storm Center

Exploitation for Client Execution

Exploit Public-Facing Application

File and Directory Discovery

Associated Indicators:
169.150.226.162

https://github.com/TAM-K592/CVE-2024-53677-S2-067

https://cwiki.apache.org/confluence/display/WW/S2-067

0ABCFC26E3FA0AFBD6DB1BA369DFCC37