Analysis and protection of Apache Tomcat information leakage and Remote Code execution vulnerability

Attack and Defense laboratory Bo Shuofang

Background information
Apache and Tomcat are Web server, general Apache is static resolution, Tomcat is the Java application Server, dynamic parsing jsp, PHP, etc., is a container (servlet), can run independently of Apache. For example: Apache is a car, which can be loaded with things, such as HTML, but not the water, to fill the water must have containers (barrels), and this bucket can not be placed in the car, this is tomcat.


Vulnerability overview
September 19, 2017, Apache Tomcat official fixed 2 severity levels of vulnerabilities, respectively: Information Disclosure Vulnerability (CVE-2017-12616), Remote Code Execution Vulnerability (cve-2017-12615). Under certain conditions, through the above two vulnerabilities can execute arbitrary code on the user server, resulting in data disclosure or access to server permissions, there is a high security risk.
cve-2017-12616: Information Disclosure vulnerability
When Virtualdircontext is used in Tomcat, the attacker will be able to bypass the set of related security restrictions by sending a specially crafted malicious request, or obtain the JSP source code that provides the support resources by Virtualdircontext.
Remote code execution Vulnerability (CVE-2017-12615)
If the HTTP Put request method is enabled on the Apache Tomcat server (the default value of the ReadOnly initialization parameter in Web.xml is set to false), a remote code execution vulnerability may exist. An attacker could upload a JSP file through this vulnerability.

Attack Surface impact Surface:
The prerequisite for this exploit is to manually turn on the ReadOnly function to support the upload operation, in the case of the Apache Tomcat 7.X version default configuration is unable to successfully exploit the vulnerability, from the actual test, the vulnerability is not so high.
cve-2017-12615 exploit needs to be in the Windows environment and needs to set the ReadOnly initialization parameter from the default value to False, after the actual test, Tomcat 7. The default configuration in the Web.xml configuration file in the X version has no readonly parameters, which need to be added manually, and are not affected by this vulnerability under the default configuration conditions.
The cve-2017-12616 vulnerability requires VIRTUALDIRCONTEXT parameters to be configured in the Server.xml file, and after actual testing, the default configuration for the Tomcat 7.x version has no virtualdircontext parameters and needs to be manually added, This vulnerability is not affected by the default configuration condition.




Impact Version:
Information Disclosure Vulnerability (CVE-2017-12616) Impact range: Apache Tomcat 7.0.0–7.0.80
Remote code execution Vulnerability (cve-2017-12615) Impact range: Apache Tomcat 5.x–9.


Repair recommendations
According to the business evaluation configuration Conf/web.xml file readonly value is ture or annotation parameter, disable put method and restart Tomcat service, temporarily evade security risk; Note: If you disable the Put method, the application that relies on the put method may cause the business to fail.
Users are advised to upgrade to the latest version as soon as possible, and the 7.0.81 version has been released by the authorities to fix two vulnerabilities.


Web Security Best Practices

How to know which HTTP methods your site uses.

View Response Allow:get, head, POST, Options,trace

Disabling unnecessary HTTP methods

Iis
IIS denies put and delete requests by default, and it is recommended that you disable the WebDAV module if unsafe methods are used.

Apache

<location/> 
only allow get and post methods, and restart the service after modification.
<limitexcept get POST > 
  Order Allow,deny 
  Deny out all 
</LimitExcept> 
</Location>

Tomcat
Modify the Web.xml configuration, add the following, and restart the Tomcat service:

<security-constraint>  
   <web-resource-collection>  
      <url-pattern>/*</url-pattern>