Using Application Firewall Signatures to Prevent Apache Struts Attacks

book

Article ID: CTX138807

calendar_today

Updated On:

Description

This article contains information about using Application Firewall signatures to prevent Apache Struts attacks.

Background

There is an increasing concern about protecting against vulnerabilities in older versions of Apache Struts 2. Some of the more important vulnerabilities are:

CVE-2013-2251: Information following “action:”, “redirect:”, or “redirectAction:” is not properly sanitized.
CVE-2013-2115: A request that included a specially crafted request parameter could be used to inject arbitrary OGNL code into the stack.
CVE-2012-0391: Filters designed to prevent attackers from calling arbitrary methods within parameters can be bypassed.

Application Firewall Signatures

You can add the following Application Firewall signatures to close these vulnerabilities. These signatures look for specific patterns that are present in attacks, that exploit the preceding vulnerabilities. For example, for CVE-2013-2251, the signature looks for the “action:” or “redirect:” strings. If they are present and if any characters outside a whitelist are found, then Application Firewall blocks the request.

The following are the Application Firewall signatures:

<?xml version="1.0" encoding="UTF-8"?>
<!-- Copyright 2012 Citrix Systems, Inc. All rights reserved. -->

<SignaturesFile version="2" schema_version="2">

<Signatures>

 <SignatureRule actions="block,log" category="web-struts" enabled="ON" id="999980" source="Citrix" sourceid="0" type="" version="1">
    <LogString>Apache Struts remote execution: CVE 20132251 (action:)</LogString>
    <PatternList>
      <RequestPatterns>
        <Pattern>
          <Location area="HTTP_FORM_FIELD">
          <FieldName type="Literal">action:</FieldName>
          </Location>
          <Match type="PCRE">.*</Match>
        </Pattern>
        <Pattern>
          <Location area="HTTP_FORM_FIELD">
          <FieldName type="PCRE">[^a-zA-Z0-9\.\]\[_'\s]+</FieldName>
          </Location>
          <Match type="PCRE">.*</Match>
        </Pattern>
      </RequestPatterns>
    </PatternList>
    <Reference>cve,20132251</Reference>
    <Reference>url,http://struts.apache.org/release/2.3.x/docs/s2-016.html</Reference>
  </SignatureRule>

 <SignatureRule actions="block,log" category="web-struts" enabled="ON" id="999981" source="Citrix" sourceid="0" type="" version="1">
    <LogString>Apache Struts remote execution: CVE 20132251 (redirect:)</LogString>
    <PatternList>
      <RequestPatterns>
        <Pattern>
          <Location area="HTTP_FORM_FIELD">
          <FieldName type="Literal">redirect:</FieldName>
          </Location>
          <Match type="PCRE">.*</Match>
        </Pattern>
        <Pattern>
          <Location area="HTTP_FORM_FIELD">
          <FieldName type="PCRE">[^a-zA-Z0-9\.\]\[_'\s]+</FieldName>
          </Location>
          <Match type="PCRE">.*</Match>
        </Pattern>
      </RequestPatterns>
    </PatternList>
    <Reference>cve,20132251</Reference>
    <Reference>url,http://struts.apache.org/release/2.3.x/docs/s2-016.html</Reference>
  </SignatureRule>

 <SignatureRule actions="block,log" category="web-struts" enabled="ON" id="999982" source="Citrix" sourceid="0" type="" version="1">
    <LogString>Apache Struts remote execution: CVE 20120391 (Cookie Interceptor)</LogString>
    <PatternList>
      <RequestPatterns>
        <Pattern type="fastmatch">
          <Location area="HTTP_RAW_COOKIE">
          </Location>
          <Match type="Literal">#_memberAccess["allowStaticMethodAccess"]</Match>
        </Pattern>
      </RequestPatterns>
    </PatternList>
    <Reference>cve,20120391</Reference>
    <Reference>url,http://www.exploit-db.com/exploits/18329/</Reference>
    <Reference>url,http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html</Reference>
  </SignatureRule>

 <SignatureRule actions="block,log" category="web-struts" enabled="ON" id="999983" source="Citrix" sourceid="0" type="" version="1">
    <LogString>Apache Struts remote execution: CVE 20132115</LogString>
    <PatternList>
      <RequestPatterns>
        <Pattern>
          <Location area="HTTP_FORM_FIELD">
          </Location>
          <Match type="Literal">{#</Match>
        </Pattern>
        <Pattern>
          <Location area="HTTP_FORM_FIELD">
          </Location>
          <Match type="PCRE">[^a-zA-Z0-9\.\]\[_'\s]+</Match>
        </Pattern>
      </RequestPatterns>
    </PatternList>
    <Reference>cve,20132115</Reference>
    <Reference>url,http://struts.apache.org/development/2.x/docs/s2-014.html</Reference>
  </SignatureRule>

 <SignatureRule actions="block,log" category="web-struts" enabled="ON" id="999984" source="Citrix" sourceid="0" type="" version="1">
    <LogString>Apache Struts remote execution: CVE 20120391 (Exception Delegator/ParametersInterceptor/DebuggingInterceptor)</LogString>
    <PatternList>
      <RequestPatterns>
        <Pattern>
          <Location area="HTTP_FORM_FIELD">
          </Location>
          <Match type="Literal">java</Match>
        </Pattern>
        <Pattern>
          <Location area="HTTP_FORM_FIELD">
          </Location>
          <Match type="PCRE">[^a-zA-Z0-9\.\]\[_'\s]+</Match>
        </Pattern>
      </RequestPatterns>
    </PatternList>
    <Reference>cve,20120391</Reference>
    <Reference>url,http://www.exploit-db.com/exploits/18329/</Reference>
    <Reference>url,http://archives.neohapsis.com/archives/bugtraq/2012-01/0031.html</Reference>
  </SignatureRule>

</Signatures>

</SignaturesFile>

You can add these signatures to the default signatures in the next Application Firewall signature update. Customers with automatic update of signatures will receive these signatures without any additional action.

Refer to Citrix eDocs - Signatures, to update the Application Firewall signatures.

Environment

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

Issue/Introduction

This article contains information about using Application Firewall signatures to prevent Apache Struts attacks.

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"