I'm Chris McCown, head of Product Security, with a vast background in Security Engineering. My team triages findings, discovers vulnerabilities, builds tools and offered solutions... Here's some of my personal work.
Exploiting Struts RCE on 2.5.26 Abstract Late last year, 2020, a fix for a remote code execution (RCE) vulnerability discovered by Alvaro Munoz and Masato Anzai, was published by Apache Struts that goes by S2-061 or CVE-2020-17530 a " Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution - similar to S2-059 or CVE-2019-0230. While fixes to both have helped in limiting the vulnerable scenarios while using the Struts2 library and strengthening its sandbox, remote code execution is still possible in the latest versions of Struts 2.5.26. While the sandbox escape written below is new and works on Struts 2.5.26 , i t was just mentioned to me this OGNL evaluation was originally reported by Man Yue Mo and Alvaro Munoz. Please check out their great work here: https:// securitylab.github.com/research/apach e-struts-double-evaluation/ … https:// securitylab.github.com/advisories/GHS L -2020-205-doub...
Vulnerabilities In Apache Commons-Text 1.10.0 Abstract In October 2022 a vulnerability in Apache Commons-Text was reported ( CVE-2022-42889 ) dubbed "Text4Shell". This vulnerability, while less prevalent, acted somewhat similar to log4shell which used interpolators to perform string lookups on user defined input that resulted in code execution. Like most software, there's often other related issue(s) found in neighboring code that don't get fixed when a big issue like this is reported. This blog is on those other vulnerabilities. Background CVE-2022-42889 "Text4Shell" was centered on an unsafe script evaluation found in the ScriptStringLookup. A POC looked like the following (seen at GHSL-2022-018 ): final StringSubstitutor interpolator = StringSubstitutor . createInterpolator (); String out = interpolator . replace ( "${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}" ); System . out . println ( out ...
2nd RCE and XSS in Apache Struts 2.5.0 - 2.5.29 Abstract In early April 2021 I disclosed a 0day on Apache Struts 2.5.0-2.5.29 here after responsibly disclosing it and eventually getting permission from Apache Struts. However, I decided to keep digging and found a second, new RCE caused by double OGNL evaluation via a different vector which I'll be describing here. If you want to know more about Apache Struts RCEs via OGNL evaluations I highly recommend checking out the work by Man Yue Mo and Alvaro Munoz. You can find it here: https:// securitylab.github.com/research/apach e-struts-double-evaluation/ … https:// securitylab.github.com/advisories/GHS L Vulnerability Analysis OGNL evaluations are exploitable when OGNL code is evaluated twice. This is often done when the "findString" or "findValue" function are called consecutively inside an object like Component or UIBean object. In order to find these issues you typically search through java files to find where...