What is Apache Struts 2 REST Plugin XStream RCE (CVE-2017-9805)?

Apache Struts released the latest security bulletin, Apache Struts 2.5.x REST plug-in there is a high-risk vulnerability in the implementation of the remote code, vulnerability number CVE-2017-9805 ( S2-052 ). The cause of the vulnerability is due to the use of XStreamHandler deserialized XStream instance when there is no type of filtering lead to remote code execution.

Affected version

Struts 2.5 – Struts 2.5.12

How to fix and more info, visit here.

Exploitation

struts2_rest_xstream metasploit module

The REST Plugin is using a XStreamHandler with an instance of XStream for deserialization without any type filtering and this can lead to Remote Code Execution when deserializing XML payloads

Demo

https://www.youtube.com/watch?v=n9hwWBOd-oo