For some UIBean tags the name field was vulnerable to a double OGNL evaluation when there was no corresponding value field which could lead to remote code execution.

For first, a brief bit about double OGNL evaluation as I don’t think we’ve covered it before, or its been awhile. Even if you’re not familiar with OGNL, the idea of double evaluation is pretty simple. Imagine you have any sort of variaible expansion expression. So in a template language you might write <b>{{username}}</b>. And expect {{username}} to be expanded into the actual username variable. Double evaluation is when the result of that expansion is evaluated again. So maybe the username, being attacker controlled was something malicious like {{PRIVATE_KEY}} then the first expansion would fill in the username, replacing it with {{PRIVATE_KEY}} and then evaluating it again, would potentially leak a sensitive value.

OGNL is more powerful than that, it is capable of navigating through Java object properties and performing method calls. So a double evaluation of an OGNL expression can lead to code execution within OGNL sandbox at least.

Returning the the vulnerability here double evaluation is a known issue with Struts so they avoid it in general. What was found here was a bit of an edge case, where the name field would be evaluated as expected. And normally the value field would be fetched independently, when it was missing however in some UIBean classes the value field would be filled in with the name, and if it was an expression, reevaluated as long as it wasn’t recursive. Creating a path to gain code execution.

The post also dives into the full RCE chain to popping calc.exe and breaking out of the OGNL sandbox.