Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload
On 22/09/17 10:36, Maarten van Hulsentop wrote: > I have tried to reproduce this issue on a fresh tomcat 7.0.78 installation. > The issue can indeed easily be reproduced on the default servlet by setting > the readonly property to false. After that, it is possible to PUT the jsp > and the GET request will execute. > > When i change the default servlet to be the WebDAV servlet, it can not > longer PUT the JSP because of 409 errors. > Adjusting the servlet mapping from / to /* resolves the 409. But doing so > seems to prevent the JSP execution; the GET request will just yield the > contents of the JSP. > What do i need to do to get it reproduced for the WebDAV servlet as well? > Or is this a theoretical thing and can we consider the WebDAV servlet > configured in scenario 3 as not vulnerable in the real world? I haven't seen a PoC for exploiting this via Tomcat's WebDAV implementation. The original advisory was based on an understanding of the Default servlet PoC and a quick look at Tomcat's WebDAV code. A closer inspection shows that the Default servlet PoC won't work with Tomcat's WebDAV implementation. It looks to be unlikely that Tomcat's WebDAV implementation is exploitable but as far as I am aware there hasn't been a great deal of investigation in that direction. At this point it seems prudent to assume that WebDAV could be vulnerable and mitigate accordingly. > Does this > also apply for individual web applications configuring a similar web.xml or > is it only reproducable on the global default servlet? CVE-2017-12615 applies in either of the above scenarios. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload
Hello, Op wo 20 sep. 2017 om 09:27 schreef Mark Thomas : > On 19/09/17 14:10, Mark Thomas wrote: > > On 19/09/17 14:00, André Warnier (tomcat) wrote: > >> Hello. > >> > >> Did the issue below also affect the DAV application ? > > > > Yes, as the WebDAV servlet also processes HTTP PUT requests. > > > > The WebDAV servlet extends the Default servlet so they actually share > > the implementation. > > Thinking about this a little more, it will depend on how the WebDAV > servlet is mapped. While there is a configuration where this would be an > issue for WebDAV, I don't think it is one that would normally be used. > > I have tried to reproduce this issue on a fresh tomcat 7.0.78 installation. The issue can indeed easily be reproduced on the default servlet by setting the readonly property to false. After that, it is possible to PUT the jsp and the GET request will execute. When i change the default servlet to be the WebDAV servlet, it can not longer PUT the JSP because of 409 errors. Adjusting the servlet mapping from / to /* resolves the 409. But doing so seems to prevent the JSP execution; the GET request will just yield the contents of the JSP. What do i need to do to get it reproduced for the WebDAV servlet as well? Or is this a theoretical thing and can we consider the WebDAV servlet configured in scenario 3 as not vulnerable in the real world? Does this also apply for individual web applications configuring a similar web.xml or is it only reproducable on the global default servlet? For clarity, my scenarios are; 1. == Default servlet reproduction - [fresh installation Tomcat 7.0.78] - Modify [tomcat]/conf/web.xml, add readonlyfalse to default - PUT possible - GET executes JSP -> vulnerable! 2. == WebDAV servlet reproduction with mapping on '/' - [fresh installation Tomcat 7.0.78] - Modify [tomcat]/conf/web.xml, change to org.apache.catalina.servlets.WebdavServlet for default - Modify [tomcat]/conf/web.xml, add readonlyfalse to default - PUT fails with 409 message -> not vulnerable? 3. == WebDAV servlet reproduction with mapping on '/*' - [fresh installation Tomcat 7.0.78] - Modify [tomcat]/conf/web.xml, change to org.apache.catalina.servlets.WebdavServlet for default - Modify [tomcat]/conf/web.xml, add readonlyfalse to default - Modify [tomcat]/conf/web.xml, change url pattern / to /* (for default) - PUT possible - GET retrieves the content for the JSP -> not vulnerable right now? Thank you for your feedback, Regards, Maarten van Hulsentop
Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload
On 19/09/17 14:10, Mark Thomas wrote: > On 19/09/17 14:00, André Warnier (tomcat) wrote: >> Hello. >> >> Did the issue below also affect the DAV application ? > > Yes, as the WebDAV servlet also processes HTTP PUT requests. > > The WebDAV servlet extends the Default servlet so they actually share > the implementation. Thinking about this a little more, it will depend on how the WebDAV servlet is mapped. While there is a configuration where this would be an issue for WebDAV, I don't think it is one that would normally be used. Mark > >> And if yes, also only under Windows ? > > Yes. This is, as far as we can tell, Windows specific. > > HTH, > > Mark > > >> >> Forwarded Message >> Subject: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution >> via JSP upload >> Date: Tue, 19 Sep 2017 11:58:44 +0100 >> From: Mark Thomas >> Reply-To: Tomcat Users List >> To: Tomcat Users List >> CC: annou...@tomcat.apache.org , >> annou...@apache.org, Tomcat Developers List >> >> CVE-2017-7674 Apache Tomcat Remote Code Execution via JSP Upload >> >> Severity: Important >> >> Vendor: The Apache Software Foundation >> >> Versions Affected: >> Apache Tomcat 7.0.0 to 7.0.79 >> >> Description: >> When running on Windows with HTTP PUTs enabled (e.g. via setting the >> readonly initialisation parameter of the Default to false) it was >> possible to upload a JSP file to the server via a specially crafted >> request. This JSP could then be requested and any code it contained >> would be executed by the server. >> >> Mitigation: >> Users of the affected versions should apply one of the following >> mitigations: >> - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released) >> >> Credit: >> This issue was reported responsibly to the Apache Tomcat Security Team >> by iswin from 360-sg-lab (360观星实验室) >> >> History: >> 2017-09-19 Original advisory >> >> References: >> [1] http://tomcat.apache.org/security-7.html >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload
Hi, This we require in windows systems. We will be looking at Windows 10. Springboot application in Microsoft Azure based. Many thanks, Gulam Thakur Software Developer, Synapse Dev Squad BP Sunbury, Bldg H, 1st floor TW16 7LN Many thanks, Gulam Thakur Software Developer, Synapse Dev Squad BP Sunbury, Bldg H, 1st floor TW16 7LN Mobile: +44 (0) 7443 243808 E-mail: gulam.tha...@bp.com gulam.thakur-cic...@ibm.com BP International Limited. Registered office: Chertsey Road, Sunbury on Thames, Middlesex, TW16 7BP. Registered in England and Wales, number 542515. E-mail disclaimer: The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee(s) only. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or an action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Within the bounds of law, electronic transmissions through internal and external networks may be monitored to ensure compliance with internal policies and legitimate business purposes. -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: 19 September 2017 14:10 To: Tomcat Users List Subject: Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload On 19/09/17 14:00, André Warnier (tomcat) wrote: > Hello. > > Did the issue below also affect the DAV application ? Yes, as the WebDAV servlet also processes HTTP PUT requests. The WebDAV servlet extends the Default servlet so they actually share the implementation. > And if yes, also only under Windows ? Yes. This is, as far as we can tell, Windows specific. HTH, Mark > > Forwarded Message > Subject: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution > via JSP upload > Date: Tue, 19 Sep 2017 11:58:44 +0100 > From: Mark Thomas > Reply-To: Tomcat Users List > To: Tomcat Users List > CC: annou...@tomcat.apache.org , > annou...@apache.org, Tomcat Developers List > > CVE-2017-7674 Apache Tomcat Remote Code Execution via JSP Upload > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Tomcat 7.0.0 to 7.0.79 > > Description: > When running on Windows with HTTP PUTs enabled (e.g. via setting the > readonly initialisation parameter of the Default to false) it was > possible to upload a JSP file to the server via a specially crafted > request. This JSP could then be requested and any code it contained > would be executed by the server. > > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released) > > Credit: > This issue was reported responsibly to the Apache Tomcat Security Team > by iswin from 360-sg-lab (360观星实验室) > > History: > 2017-09-19 Original advisory > > References: > [1] http://tomcat.apache.org/security-7.html > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload
On 19/09/17 14:00, André Warnier (tomcat) wrote: > Hello. > > Did the issue below also affect the DAV application ? Yes, as the WebDAV servlet also processes HTTP PUT requests. The WebDAV servlet extends the Default servlet so they actually share the implementation. > And if yes, also only under Windows ? Yes. This is, as far as we can tell, Windows specific. HTH, Mark > > Forwarded Message > Subject: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution > via JSP upload > Date: Tue, 19 Sep 2017 11:58:44 +0100 > From: Mark Thomas > Reply-To: Tomcat Users List > To: Tomcat Users List > CC: annou...@tomcat.apache.org , > annou...@apache.org, Tomcat Developers List > > CVE-2017-7674 Apache Tomcat Remote Code Execution via JSP Upload > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Tomcat 7.0.0 to 7.0.79 > > Description: > When running on Windows with HTTP PUTs enabled (e.g. via setting the > readonly initialisation parameter of the Default to false) it was > possible to upload a JSP file to the server via a specially crafted > request. This JSP could then be requested and any code it contained > would be executed by the server. > > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released) > > Credit: > This issue was reported responsibly to the Apache Tomcat Security Team > by iswin from 360-sg-lab (360观星实验室) > > History: > 2017-09-19 Original advisory > > References: > [1] http://tomcat.apache.org/security-7.html > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload
Hello. Did the issue below also affect the DAV application ? And if yes, also only under Windows ? Forwarded Message Subject: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload Date: Tue, 19 Sep 2017 11:58:44 +0100 From: Mark Thomas Reply-To: Tomcat Users List To: Tomcat Users List CC: annou...@tomcat.apache.org , annou...@apache.org, Tomcat Developers List CVE-2017-7674 Apache Tomcat Remote Code Execution via JSP Upload Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 7.0.0 to 7.0.79 Description: When running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released) Credit: This issue was reported responsibly to the Apache Tomcat Security Team by iswin from 360-sg-lab (360观星实验室) History: 2017-09-19 Original advisory References: [1] http://tomcat.apache.org/security-7.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org