CVE-2023-50164: Apache Struts Vulnerability in File Upload Function Enables Path Traversal and Remote Code Execution

A newly discovered vulnerability, labelled as CVE-2023-50164, has been found within the Apache Struts framework, a popular open-source web application framework for developing Java EE web applications. An attacker can exploit this vulnerability by manipulating the file upload parameters, enabling path traversal, and under certain conditions, upload a malicious file that subsequently leads to Remote Code Execution (RCE).

Vulnerability Overview

Apache Struts versions prior to Struts 2.5.33 and Struts 6.3..2 contain a vulnerability within their file upload mechanism. This security flaw allows an attacker to manipulate parameters in order to traverse file paths and upload malicious files. Once the files are uploaded, they can potentially be utilized to perform RCE on the target application.

The affected code snippet within the Apache Struts framework resembles the following structure

public class FileUploadAction extends ActionSupport {
    private File fileUpload;
    private String fileUploadFileName;
    private String fileUploadContentType;

    // Other relevant code...

    public String execute() {
        // Validate the uploaded file
        String filePath = getText("resources.location") + "/" + fileUploadFileName;

        try {
            File saveFile = new File(filePath);
            FileUtils.copyFile(fileUpload, saveFile);
        } catch (IOException e) {
            // Handle the error
        }

        // Other relevant code...
    }
}

Exploit Details

By manipulating the file upload parameters, an attacker can traverse through the file paths and inject their malicious files into the system. For example, an attacker might use the following payload to exploit the vulnerability:

POST /upload HTTP/1.1
Host: target.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary12345

------WebKitFormBoundary12345
Content-Disposition: form-data; name="fileUpload"; filename="../../../../../../tmp/malicious_file.txt"
Content-Type: text/plain

Malicious content here...
------WebKitFormBoundary12345--

In this payload, the attacker manipulates the "filename" parameter to contain a path traversal attack vector, "../../../../../../tmp/malicious_file.txt". This causes the malicious file to be saved outside the expected directory and potentially grants unauthorized access to the targeted system.

Upon successfully uploading the malicious file, the attacker can then exploit the RCE vulnerability to execute arbitrary commands on the system, compromise its security, and potentially gain further control over the targeted application.

Original References

- CVE-2023-50164 - NIST National Vulnerability Database (NVD)
- Apache Struts Security Advisory - CVE-2023-50164

Recommendation

It is highly recommended for users to upgrade their Apache Struts framework to versions 2.5.33, 6.3..2, or greater, in order to fix the CVE-2023-50164 vulnerability. By updating to the latest stable version, users can ensure that their applications are protected from this RCE exploit and maintain a more secure overall system.

Timeline

Published on: 12/07/2023 09:15:07 UTC
Last modified on: 12/12/2023 17:01:42 UTC