
An Analysis of CVE-2017-5638 – how Equifax was hacked - notverysecure
https://blog.gdssecurity.com/labs/2017/3/27/an-analysis-of-cve-2017-5638.html
======
kbaker
Wow, article is from March 2017.

Summary: Attacker sends a malformed Content-Type header on file upload, which
throws an exception due to the Content-Type being unknown. But, in the
exception text is the direct, unsanitized user input from the header.

There is not a specific text localization handler for
struts.messages.upload.error.InvalidContentTypeException, so a generic
exception handler ends up being used to process the exception. This generic
handler turns out to parse the unsanitized user input as OGNL markup, running
the attacker code when processing the exception text.

Some effort is made to blacklist loading other Java libraries in the text
rendering context, however it was easily defeated by emptying the blacklist in
the attacking code before calling the blacklisted modules.

~~~
samstave
Agreed - great write up, but can you expand on this a bit more please?

~~~
kbaker
Ah, I probably should have used a TL;DR tag - my original comment is just a
really condensed summary of the awesome but super detailed article, which even
shows and explains the Struts code in question, example requests and
responses, stack traces from the exception, and the exception logs. Even in
the comments are some logs that look like evidence of an actual in-the-wild
RCE attempt!

So maybe check there for more explanation... all credit for the research and
investigation goes to the article's author. It was really a good 'deep dive'
into the internals of Struts to see how such a subtle bug could be turned into
RCE.

------
joatmon-snoo
I have yet to see any credible source pinpointing the CVE used to compromise
the Equifax data (we all know it's in Struts, but which one was it?). Has
something changed, or is this title clickbait?

~~~
thephyber
Note that the linked article isn't clickbait. It's an InfoSec description of
how they dealt with the same vuln that hit Equifax. The article was written ~6
weeks before Equifax's stated timeline of attack.

To clarify your comment, Equifax _did_ recently reveal[1] the specific vuln
(CVE-2017-5638) in Apache Struts that was used during the ~May-July attack
that caused the most headlines.

[1] [https://investor.equifax.com/news-and-
events/news/2017/09-15...](https://investor.equifax.com/news-and-
events/news/2017/09-15-2017-224018832)

~~~
joatmon-snoo
Oh, yes, I understand that the linked article isn't clickbait - I was calling
out the title specifically for that reason, because if Equifax hadn't
confirmed the CVE, I think it would qualify as a clickbait title ;)

Thanks for the link, though, I somehow managed to miss that announcement.

