About a month ago, the Apache Software Foundation released Struts 18.104.22.168, an update to the popular Java Web application development framework. The patch was released because vulnerabilities in older versions of Struts could allow attackers to run arbitrary code on vulnerable servers.
Since then, we’ve found that hackers in the Chinese underground have created an automated tool that exploits these problems in older versions of Struts. We first confirmed the existence of these tools on July 19; this was only three days after the vulnerabilities were disclosed to the public.
Figure 1. Advertisement for hacking tool
A hacking tool like this serves multiple uses in a targeted attack, such as:
- Acquiring information about the target
- Gaining and maintaining access onto the target’s system and network
- Stealing information
- Removing evidence of an attack
We have observed attacks against Asian targets using this specific hacking tool, which indicates these Struts flaws are being actively exploited by potential threat actors in the wild.
The Hacking Tool Itself
The hacking tool targets several different flaws in Struts. These are identified both by their Apache-issued bulletin numbers and their CVE numbers:
- S2-016 (CVE-2013-2251)
- S2-013 (CVE-2013-1966)
- S2-009 (CVE-2011-3923)
- S2-005 (CVE-2010-1870)
All of these vulnerabilities, if exploited, allow arbitrary commands to be run on the target server by an attacker. To demonstrate the capabilities of this tool, we ran it against a test environment which was running a vulnerable version of Struts.
Figure 2. Hacking tool user interface
Some specific commands can be run on the target server by the tool automatically. One of the pre-programmed commands is whoami, which displays information about the target server’s current account.
The full list of commands that it can run is as follows:
Table 1. Integrated commands
Setting Up A Backdoor
An attacker’s goal in targeting a vulnerable server is to set up a backdoor. These backdoors allow an attacker to gain and maintain access to the server and use it as they see fit; this tool allows an attacker to do just that with relatively little effort.
The hacking tool contains a “WebShell” feature, which allows the attacker to easily plant a backdoor and a web shell onto the target. These web shells make issuing commands to the backdoor much easier, as it can be done directly from a browser window.
A variety of web shells are available for servers using various frameworks like PHP and ASP.NET; however in this particular case because Struts itself is an app framework that supports Java, the attacker can install JspWebShell, a web shell/backdoor combination that is coded using JavaServer Pages (JSP).
Figure 4. Hacking tool with WebShell feature
The screenshot below shows how JspWebShell has access to the server’s file system.
Figure 5. User interface of JspWebShell
Web shells with more powerful capabilities are easily available in the underground, such as searching for and stealing information and data from the backdoored server.
In summary, what do we know about this hacking tool?
- It was published three days after the publication date of vulnerability.
- It allows for the easy execution of operating system commands on the targeted server.
- It is possible with just a few clicks of the mouse to establish a backdoor/web shell on the target server to acquire and maintain access.
- Web shells are evolving, and features are being added to these as necessary.
As we noted earlier, this vulnerability has been patched and a new version of Struts released (22.214.171.124). Some applications may break because of the removal of several vulnerable features in the current version, but despite this Apache has said the update is “strongly recommended”. The potential risks from a successful attack outweigh the inconvenience of modifying any deployed apps.
We provide a variety of solutions against these threats. Users of Deep Security have various rules which help block Struts exploits and drop the related malicious packets. In addition, we detect the backdoors planted on affected sites as HKTL_ACTREDIR and JS_SPRAT.SM.
The hash values of the hacking tool sample are as follows:
- MD5: 4674D39C5DD6D96DFB9FF1CF1388CE69
- SHA1: 9C6D1700CF4A503993F2292CB5A254E4494F5240