Interesting Findings by Chris

RCE in Apache Struts 2.5.30 and 6.x Abstract In early May 2021 I reported a second RCE on Apache Struts 2.5.0-2.5.29  here  and disclosed the details a month after the fix was made public. Again, like many of you security researchers, I had to look more into it. So I kept digging and found a bypass to one of the RCE's that got fixed, which I'll briefly be describing here. There is no CVE identifier for this.   To be clear, this is a rare situation that most programs wont run into and applies specifically to a 'select' type object. It is considered by Apache Struts to be a developer error in which the developer is forcing an evaluation ('%{}') with untrusted user input and thus not a vulnerability. Please see Apache Struts's Security page for more details on this.  Vulnerability Analysis A reminder, OGNL evaluations are exploitable when OGNL code is evaluated twice. If you need an example of that please read through the previous two RCEs I wrote about. The b...

2nd RCE and XSS in Apache Struts 2.5.0 - 2.5.29 Abstract In early April 2021 I disclosed a 0day on Apache Struts 2.5.0-2.5.29  here  after responsibly disclosing it and eventually getting permission from Apache Struts. However, I decided to keep digging and found a second, new RCE caused by double OGNL evaluation via a different vector which I'll be describing here.  If you want to know more about Apache Struts RCEs via OGNL evaluations I highly recommend checking out the work by Man Yue Mo and Alvaro Munoz. You can find it here: https:// securitylab.github.com/research/apach e-struts-double-evaluation/ … https:// securitylab.github.com/advisories/GHS L Vulnerability Analysis OGNL evaluations are exploitable when OGNL code is evaluated twice. This is often done when the "findString" or "findValue" function are called consecutively inside an object like Component or UIBean object. In order to find these issues you typically search through java files to find where...

Exploiting Struts RCE on 2.5.26 Abstract Late last year, 2020, a fix for a remote code execution (RCE) vulnerability discovered by Alvaro Munoz and Masato Anzai, was published by Apache Struts that goes by  S2-061  or CVE-2020-17530 a " Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution - similar to  S2-059   or  CVE-2019-0230. While fixes to both have helped in limiting the vulnerable scenarios while using the Struts2 library and strengthening its sandbox, remote code execution is still possible in the latest versions of Struts 2.5.26.  While the sandbox escape written below is new and works on Struts 2.5.26 ,  i t was just mentioned to me this OGNL evaluation was originally reported by Man Yue Mo and Alvaro Munoz. Please check out their great work here: https:// securitylab.github.com/research/apach e-struts-double-evaluation/ … https:// securitylab.github.com/advisories/GHS L -2020-205-doub...

  class HelloWorld { public static void main(String[] args) { System.out.println("Hello, World!"); } }

Recently I stumbled upon a XSS vulnerability in one of Adobe's services and reported it to their security team. It took less than 2 weeks to address the issue and produce a fix.Well done. Here is the link to their acknowledgments:  http://helpx.adobe.com/security/acknowledgements.html

About a month ago I stumbled upon a vulnerability in one of Google's services and reported it to their security team. In less than 48 hours they had quickly addressed the issue and validated it's legitimacy and importance. I was quite impressed by how fast they were able to reply to my email and was glad to see how serious they took the issue. Well done. Here is the link to their hall of fame list  http://www.google.com/about/appsecurity/hall-of-fame/reward/