How to determine if a Windows server is running Apache Struts?

[Sean Son <li...@gmail.com>]

Hello all

I am new to the mailing list as well as new to Apache Struts.  We all heard
in the news about the vulnerability affecting Apache Struts. I have been
tasked to determine which of our servers have Struts running on them.  I
have a few questions on how to determine if a server is running Struts or
not:

1) How does one determine if a Windows server, running IIS, has the Apache
Struts framework installed on it?

2) Does Apache Struts only run on Apache Webserver and Tomcat?

3) Is there a simple way to determine if a server has Struts installed,
instead of logging into each of the servers and checking the programs list?


I appreciate ALL help!


Thanks

Sean

Re: How to determine if a Windows server is running Apache Struts?

[Sean Son <li...@gmail.com>]

On Wed, Sep 6, 2017 at 7:56 PM, Ken McWilliams <ke...@gmail.com>
wrote:

> Programs can also be "exploded" (not in any type of zip file) so be sure to
> search all files in the normal filesystem as well. To test your script just
> create a couple zip files with some nested folders where you have placed
> some made up files either called "struts.xml" or "struts2-core-*.jar" to be
> sure that your script is able to identify them. If they don't find those,
> your script is unhappy!
>
> On Wed, Sep 6, 2017 at 5:51 PM, Ken McWilliams <ke...@gmail.com>
> wrote:
>
> > Struts isn't a stand alone program but a framework, typically seen as
> > project dependency which supports web development on the JVM.
> >
> > I don't know the answer to 1) [although I will at the end go though the
> > process I would attempt to find such programs].
> >
> > 2) No. Struts2 [which is different code base from struts v1, and does not
> > share the same issues] is a Java Web Framework, it will run on any JEE
> > compliant web server, and will run on embedded web servers such as Jetty.
> >
> > 3) No. And the program list will not determine if the program uses the
> > struts framework.
> >
> > How I would attempt to determine the issue:
> >
> > Most programs will not have been obfuscated (which may make determining
> > this much harder).
> > Java applications are typically packaged as JAR, WAR, or EAR. These are
> > all just zip files. I would automate the process to scan for all such
> > files, open them recursively travel their internal folder structure and
> > search for either struts.xml OR struts2-core-*.jar where "*" is a version
> > number, and accumulate all such files and or paths to these files into a
> > plain text document and then check them by hand [to determine the version
> > of struts, and determine if it has the security exploit and/or is
> > exploitable (if it is isn't accessible to the outside world generally it
> > isn't a concern, of course this depends company size and the nature of
> what
> > is being secured)]. Some assumptions could be made about the internal
> > project structure that could save a great deal of time but because of
> build
> > differences these shortcuts (assuming what folder libraries are stored
> in)
> > could cause you to miss something so it is probably best to just search
> > everything.
> >
> > On Wed, Sep 6, 2017 at 4:56 PM, Sean Son <linuxmailinglistsemail@gmail.
> com
> > > wrote:
> >
> >> Hello all
> >>
> >> I am new to the mailing list as well as new to Apache Struts.  We all
> >> heard
> >> in the news about the vulnerability affecting Apache Struts. I have been
> >> tasked to determine which of our servers have Struts running on them.  I
> >> have a few questions on how to determine if a server is running Struts
> or
> >> not:
> >>
> >> 1) How does one determine if a Windows server, running IIS, has the
> Apache
> >> Struts framework installed on it?
> >>
> >> 2) Does Apache Struts only run on Apache Webserver and Tomcat?
> >>
> >> 3) Is there a simple way to determine if a server has Struts installed,
> >> instead of logging into each of the servers and checking the programs
> >> list?
> >>
> >>
> >> I appreciate ALL help!
> >>
> >>
> >> Thanks
> >>
> >> Sean
> >>
> >
> >
> >
> > --
> > Sent from my C64 using a 300 baud modem
> >
>
>
>
> --
> Sent from my C64 using a 300 baud modem
>


Thank you for your reply.  Do you know what script should be used for
Windows servers to check for Struts?  I am not a Windows Admin, so any
guidance will be greatly appreciated!


Thanks

Re: How to determine if a Windows server is running Apache Struts?

[Ken McWilliams <ke...@gmail.com>]

Programs can also be "exploded" (not in any type of zip file) so be sure to
search all files in the normal filesystem as well. To test your script just
create a couple zip files with some nested folders where you have placed
some made up files either called "struts.xml" or "struts2-core-*.jar" to be
sure that your script is able to identify them. If they don't find those,
your script is unhappy!

On Wed, Sep 6, 2017 at 5:51 PM, Ken McWilliams <ke...@gmail.com>
wrote:

> Struts isn't a stand alone program but a framework, typically seen as
> project dependency which supports web development on the JVM.
>
> I don't know the answer to 1) [although I will at the end go though the
> process I would attempt to find such programs].
>
> 2) No. Struts2 [which is different code base from struts v1, and does not
> share the same issues] is a Java Web Framework, it will run on any JEE
> compliant web server, and will run on embedded web servers such as Jetty.
>
> 3) No. And the program list will not determine if the program uses the
> struts framework.
>
> How I would attempt to determine the issue:
>
> Most programs will not have been obfuscated (which may make determining
> this much harder).
> Java applications are typically packaged as JAR, WAR, or EAR. These are
> all just zip files. I would automate the process to scan for all such
> files, open them recursively travel their internal folder structure and
> search for either struts.xml OR struts2-core-*.jar where "*" is a version
> number, and accumulate all such files and or paths to these files into a
> plain text document and then check them by hand [to determine the version
> of struts, and determine if it has the security exploit and/or is
> exploitable (if it is isn't accessible to the outside world generally it
> isn't a concern, of course this depends company size and the nature of what
> is being secured)]. Some assumptions could be made about the internal
> project structure that could save a great deal of time but because of build
> differences these shortcuts (assuming what folder libraries are stored in)
> could cause you to miss something so it is probably best to just search
> everything.
>
> On Wed, Sep 6, 2017 at 4:56 PM, Sean Son <linuxmailinglistsemail@gmail.com
> > wrote:
>
>> Hello all
>>
>> I am new to the mailing list as well as new to Apache Struts.  We all
>> heard
>> in the news about the vulnerability affecting Apache Struts. I have been
>> tasked to determine which of our servers have Struts running on them.  I
>> have a few questions on how to determine if a server is running Struts or
>> not:
>>
>> 1) How does one determine if a Windows server, running IIS, has the Apache
>> Struts framework installed on it?
>>
>> 2) Does Apache Struts only run on Apache Webserver and Tomcat?
>>
>> 3) Is there a simple way to determine if a server has Struts installed,
>> instead of logging into each of the servers and checking the programs
>> list?
>>
>>
>> I appreciate ALL help!
>>
>>
>> Thanks
>>
>> Sean
>>
>
>
>
> --
> Sent from my C64 using a 300 baud modem
>



-- 
Sent from my C64 using a 300 baud modem

Re: How to determine if a Windows server is running Apache Struts?

[Ken McWilliams <ke...@gmail.com>]

Struts isn't a stand alone program but a framework, typically seen as
project dependency which supports web development on the JVM.

I don't know the answer to 1) [although I will at the end go though the
process I would attempt to find such programs].

2) No. Struts2 [which is different code base from struts v1, and does not
share the same issues] is a Java Web Framework, it will run on any JEE
compliant web server, and will run on embedded web servers such as Jetty.

3) No. And the program list will not determine if the program uses the
struts framework.

How I would attempt to determine the issue:

Most programs will not have been obfuscated (which may make determining
this much harder).
Java applications are typically packaged as JAR, WAR, or EAR. These are all
just zip files. I would automate the process to scan for all such files,
open them recursively travel their internal folder structure and search for
either struts.xml OR struts2-core-*.jar where "*" is a version number, and
accumulate all such files and or paths to these files into a plain text
document and then check them by hand [to determine the version of struts,
and determine if it has the security exploit and/or is exploitable (if it
is isn't accessible to the outside world generally it isn't a concern, of
course this depends company size and the nature of what is being secured)].
Some assumptions could be made about the internal project structure that
could save a great deal of time but because of build differences these
shortcuts (assuming what folder libraries are stored in) could cause you to
miss something so it is probably best to just search everything.

On Wed, Sep 6, 2017 at 4:56 PM, Sean Son <li...@gmail.com>
wrote:

> Hello all
>
> I am new to the mailing list as well as new to Apache Struts.  We all heard
> in the news about the vulnerability affecting Apache Struts. I have been
> tasked to determine which of our servers have Struts running on them.  I
> have a few questions on how to determine if a server is running Struts or
> not:
>
> 1) How does one determine if a Windows server, running IIS, has the Apache
> Struts framework installed on it?
>
> 2) Does Apache Struts only run on Apache Webserver and Tomcat?
>
> 3) Is there a simple way to determine if a server has Struts installed,
> instead of logging into each of the servers and checking the programs list?
>
>
> I appreciate ALL help!
>
>
> Thanks
>
> Sean
>



-- 
Sent from my C64 using a 300 baud modem