Technical Articles | Cve-2017-12615/cve-2017-12616:tomcat Information Disclosure and Remote Code execution vulnerability Analysis report

This article is from Aliyun-yun-Habitat community, the original click here.

I. Overview of Vulnerabilities

September 19, 2017, Apache Tomcat official confirmed and fixed two high-risk vulnerabilities, vulnerability CVE number: cve-2017-12615 and cve-2017-12616, The vulnerability is affected by a version of 7.0-7.80, the official rating for high-risk, under certain conditions, the attacker can take advantage of these two vulnerabilities, access to the user server JSP file source code, or through a carefully constructed attack request, to the user server upload malicious JSP files, through the upload of JSP files, Arbitrary code can be executed on the user's server, resulting in data disclosure or access to the server, with a high security risk.

Two. Vulnerability basic information Vulnerability Number: cve-2017-12616 cve-2017-12615 vulnerability Name: cve-2017-12615-Remote Code Execution Vulnerability cve-2017-12616-Information Disclosure Vulnerability official rating: High risk, Actual test vulnerability is less harmful

Vulnerability Description:

cve-2017-12616: Information Disclosure vulnerability
When Virtualdircontext is enabled in Tomcat, the attacker will be able to leak the code information by sending a specially crafted malicious request, bypassing the associated security restrictions set, or obtaining the JSP source code provided by Virtualdircontext to support resource services.

cve-2017-12615: Remote code execution vulnerability
When Tomcat is running on the Windows operating system and the HTTP Put request method is enabled (for example, by setting the ReadOnly initialization parameter to false), an attacker might be able to upload a JSP file containing arbitrary code to the server through a carefully constructed attack request packet , the malicious code in the JSP file will be executed by the server. Cause data on the server to leak or get server permissions.
Under certain conditions, through the above two vulnerabilities can execute arbitrary code on the user server, resulting in data disclosure or access to server permissions, there is a high security risk. Exploit conditions:
cve-2017-12615 exploit needs to be in the Windows environment and needs to set the ReadOnly initialization parameter from the default value to False, after the actual test, Tomcat 7. The default configuration in the Web.xml configuration file in the X version has no readonly parameters, which need to be added manually, and are not affected by this vulnerability under the default configuration conditions. The cve-2017-12616 vulnerability requires VIRTUALDIRCONTEXT parameters to be configured in the Server.xml file, and after actual testing, the default configuration for the Tomcat 7.x version has no virtualdircontext parameters and needs to be manually added, This vulnerability is not affected by the default configuration condition. Impact Range: cve-2017-12615 Impact range: Apache Tomcat 7.0.0-7.0.79 (Windows environment) cve-2017-12616 Impact Range: Apache Tomcat 7.0.0-7.0.80

Three. Vulnerability detailed analysis information
3.1. The environment constructs

Apache Tomcat opens the Put method by default, Org.apache.catalina.servlets.DefaultServlet readonly defaults to True, and defaults to no conf/ Web.xml write, you need to manually add and to false to be able to test.

Open the full text