o0o security research has posted a review of the SEC Consult Vulnerability Lab Security Advisory on Apache Struts2 along with a remote code execution exploit.

The problem, in brief, is that Struts2 fails to properly handle user input. A malicious user can elevate privileges by manipulating a design flaw in how HTTP parameter names are handled by Object-Graph Navigation Language (OGNL).

CVE-2011-3923 is the result of ParametersInterceptor allowing parentheses and thus allowing expression evaluation, which can be exploited as follows:

/myaction?foo=&(foo)('meh')=

and here’s what happens:

1. Action attribute foo is set to the value of the foo HTTP parameter and will hold attacker’s OGNL statement
2. Second HTTP parameter named (foo)('meh') will be evaluated as an expression evaluation OGNL statement and foo action attribute will be retrieved from the action (remember we control its value via HTTP parameter) and its value will be evaluated as another OGNL statement.

Since attacker’s OGNL statement is in HTTP parameter value we bypass the regular expression and are allowed to use special symbols to modify OGNL context properties to allow method execution.