Re: [ANN] Struts 2.3.16.1 GA release available - security fix

[Tim <tim-security () sentinelchicken org>]

> No, rather no. You gain access to ClassLoader.

Ok...  Many past bugs in different contexts have involved ClassLoader
and have lead to *very bad things*.  I want to be sure you aren't
playing coy about how serious the issue is.  But as I brush up on how
struts/OGNL works, I can see how an attacker might be somewhat limited
here.


However, unless I'm missing something, it seems like your recommended
regex may not be adequate to prevent ClassLoader access.  I'm
referring to this suggested mitigation:

"
Simple add '^class\.*' to the list of excludeParams as below

<interceptor-ref name="params">
  <param
name="excludeParams">^class\..*,^dojo\..*,^struts\..*,^session\..*,^request\..*,^application\..*,^servlet(Request|Response)\..*,^parameters\..*,^action:.*,^method:.*</param>
</interceptor-ref>

"

This blocks parameters that start with "class", but what about ones
that contain class internally?  Based on [1], I would think an
attacker could send a parameter like this:

  anObject.class.classLoader...

Which would result in, effectively:

  action.getAnObject.getClass.getClassLoader...

So long as a developer defines an action within their application that
that has *any* get method that returns an Object ("getAnObject" in
this example), then they'd still be able to get at the ClassLoader
with your exclusion regex, right?  Or am I missing something about
other mitigations you guys have put into place in prior versions?

Thanks,
tim


1. http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/