Apache Struts Remote Command Execution explained

Introduction

We all heard about the recent misfortunate tale of Equifax, losing all their customer data in one major breach. According to their disclosed information, it was all due to the Apache Struts Remote Command Execution vulnerability found in their servers. In fact, if this was the case, then the whole attack might have started and finished within seconds, using one HTTP transaction sent to their website. I hereby try to explain and give an example to how such attacks occur, and what possible implications they bare.

What is Apache Struts?

According to Wikipedia, Apache Struts is:

“an open-source web application framework for developing Java EE web applications. It uses and extends the Java Servlet API to encourage developers to adopt a model–view–controller (MVC) architecture.”

As Java Enterprise Edition, and its ecosystem are popular amongst financial institutions, this makes our story even more intriguing. It creates a dangerous mix of those tasked with safekeeping our money, with a new kind of inherent vulnerabilities in their underlying infrastructure.

What is Remote Command Execution?

OWASP categorizes this type of attacks as “Command Injection”, defined as:

“an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation.”

Attack Synopsis

How does the actual attack work?

Attacks in the wild are seen abusing the HTTP “content-type” header to inject the malicious code. The hackers usually first test a simple expression evaluation by bash commands, to validate the injection vector is successful. They subsequently try using commonly found utilities, such as WGET and CURL, to download malicious code onto the vulnerable server.

The holy grail is, of course, complete server takeover. This is usually achievable by installing a web-shell backdoor. This type of code allows the attackers to gain remote administrative control of the server using a simple browser and a web connection, which is already available as these are servers exposed to the Web that are being attacked in the first place.

Pwning 4 Mining

I chose an unusual use case for the Apache Struts RCE attack, that CyKick Telepath caught in the wild. The attack above attempts to download what is seemingly an image file. Once downloaded, it is executed as a bash script and serves as a downloader for further code:

The twist in this story is that the final results launches a stealth crypto-currency mining process using the CryptoNight algorithm. Since the attackers are probably aware that most Linux servers on the Internet do not contain powerful GPU’s, they chose an efficient algorithm that could run on any general-purpose CPU.

Conclusion

As always, keep your systems up-to-date to minimize the exposure time window. Audit your code, keep yourself up to speed with the latest trends in application security. And of course, monitor all your web applications for malicious and suspicious web user behavior. This is what we’re here to help you with, so don’t be shy and give us a call at CyKick Labs today before you become the next Equifax.