Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute arbitrary code via a long URL that triggers the overflow in a URI worker map routine.
The best practice for web applications built on top of the Apache Struts 2 framework is to switch off Developer Mode (struts.devMode parameter in the struts.xml configuration file) before going into production. When devMode is left enabled, attackers can gain remote code execution by setting the 'debug=command' URL parameter and sending OGNL expressions through the 'expression' URL parameter. This module takes advantage of this misconfiguration scenario in order to deploy an agent in the target system.
The DefaultActionMapper class in Apache Struts 2 supports a method for short-circuit navigation state changes by prefixing parameters like "redirect:" or "redirect-action:". The information contained in these prefixes is not properly sanitized before being evaluated as OGNL expressions on the server side, which allows remote attackers to execute arbitrary Java code on the server. This module exploits the vulnerability in any web application built on top of vulnerable versions of the Apache Struts 2 framework.
After successful exploitation an agent will be installed. Usually Apache is ran as the user nobody, or some other low privileged user. After exploitation, the agent will be running as this user.
After successful exploitation an agent will be installed. Usually Apache is ran as the user nobody, or some other low privileged user. After exploitation, the agent will be running as this user. Apache 1.3 through 1.3.24, and Apache 2.0 through 2.0.36, allow remote attackers to cause a denial of service and possibly execute arbitrary code via a chunk-encoded HTTP request that causes Apache to use an incorrect size.
Subscribe to Impact