Scanning for CVE-2017-5638 using nmap

On March 6, 2017, Apache disclosed a vulnerability in the Jakarta multipart parser used in Apache Struts2 that could allow an attacker to execute commands remotely on the targeted system using a crafted Content-Type header value.
This vulnerability has been assigned CVE-ID CVE-2017-5638.
This page explains how you can scan for it from a Windows machine using nmap.

When exploited, an attacker can execute arbitrary OGNL code included in the "Content-Type" header of a file upload.
This vulnerability is actively being exploited.
An unauthenticated remote attacker can execute arbitrary commands with the privileges of the user running Apache Struts.

An nmap script has been developed that allows to detect whether a web server is vulnerable for CVE-2017-5638.

The following steps explain how you can use nmap to scan a server for the availability of CVE-2017-5638. We assume that you already have installed nmap on your machine.

  1. Download the nmap NSE script to scan for CVE-2017-5638. The file to download is https://svn.nmap.org/nmap/scripts/http-vuln-cve2017-5638.nse and you should save it in the scripts subfolder of the directory in which you installed nmap.
  2. Run the following command to update the NSE script rule database: nmap --script-updatedb

Now nmap is ready to scan for CVE-2017-5638 on your machines. Attention Windows 7 and 8 users: you have to run the nmap command as Administrator. So I recommend to start a DOS Command Prompt as administrator (right-click and then select "Run as administrator") and to start nmap from within this window.

The nmap command-line to scan for CVE-2017-5638 is the following:
nmap.exe -p 443 --script http-vuln-cve2017-5638 -oN CVE-2017-5638_443 192.168.1.17

If you want to specify a path on the webserver that must be scanned, than you can pass the path as follows:
nmap.exe -p 443 --script http-vuln-cve2017-5638 --script-args path=/welcome.action -oN CVE-2017-5638_443 192.168.1.17

The command-line options that we specify mean the following:

  • -p 443: This indicates the port that we want to scan. Here we only scan port 443 which is the most common SSL/TLS port. If you have SSL/TLS servers running on other ports, you can add them by separating them with commas, e.g. -p 443,8080,8443,8888. If you leave out the -p parameter, nmap will scan a default list of the most common ports.
  • --script http-vuln-cve2017-5638: This indicates that the CVE-2017-5638 script should be executed on every found open port.
  • -oN CVE-2017-5638_443: Output scan in normal format to the given filename (in this case the filename will be CVE-2017-5638_443.nmap
  • 192.168.1.17: This indicates the machine to scan.

If nmap detects that a machine is vulnerable for CVE-2017-5638, then the output will look as follows:

C:\TOOLS\nmap>nmap.exe -p 443 --script http-vuln-cve2017-5638 --script-args path=/welcome.action 192.168.1.17

Starting Nmap 6.40 ( http://nmap.org ) at 2017-03-14 22:00 ope
Nmap scan report for 192.168.1.17
Host is up (0.00s latency).
PORT    STATE SERVICE
443/tcp open  https
| http-vuln-cve2017-5638:
|   VULNERABLE:
|   Apache Struts Remote Code Execution Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-5638
|     Description:
|       Apache Struts 2.3.5 - Struts 2.3.31 and Apache Struts 2.5 - Struts 2.5.10 are vulnerable to a Remote Code Execution
|       vulnerability via the Content-Type header.
|
|     Disclosure date: 2017-03-07
|     References:
|       https://cwiki.apache.org/confluence/display/WW/S2-045
|       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
|_      http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html

Nmap done: 1 IP address (1 host up) scanned in 30.82 seconds

If nmap detects that a machine is not vulnerable for CVE-2017-5638, then the output will look as follows:

C:\TOOLS\nmap>nmap.exe -p 443 --script http-vuln-cve2017-5638 192.168.1.17

Starting Nmap 6.40 ( http://nmap.org ) at 2017-03-14 22:00 ope
Nmap scan report for 192.168.1.17
Host is up (0.0020s latency).
PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 27.55 seconds

Additional links:

Tags: 

You might also be interested in...