Vulnerability Analysis & PoC for the Apache Tomcat — CGIServlet enableCmdLineArguments | Remote Code Execution
All the code python script and the nc.exe application is available at : https://github.com/jaiguptanick/CVE-2019-0232
Video PoC available at HERE.
Apache Tomcat has a vulnerability in the CGI Servlet, which can be exploited to achieve remote code execution. This is only exploitable when running on Windows in a Non-Default Configuration in conjunction with batch files.
Common Gateway Interface (CGI) is a standard protocol to allow web servers to execute command-line programs/scripts via web requests. This protocol also enables passing command-line arguments to the script or program being executed via URL parameters. The protocol itself is defined in RFC 3875. When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat is vulnerable to RCE due to a bug in how the JRE passes command-line arguments to Windows. The CGI Servlet is disabled by default. Even CGI option enableCmdLineArguments is disabled by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability).
- Apache Tomcat 9.0.0.M1 to 9.0.17
- Apache Tomcat 8.5.0 to 8.5.39
- Apache Tomcat 7.0.0 to 7.0.93
- You should have apache server with any of the above vulnerable Versions of Tomcat installed on Windows PC. Also, you should have Java JRE installed on the same machine.
- In my case I have installed Apache Tomcat 9.0.0.M1 on the XAMPP server.
- After installing Tomcat, do the following changes in the configuration:
a.) Modify the conf/context.xml and make
b.) Make the following changes in the /conf/web.xml file near lines 366 and 420 respectively.
enableCmdLineArguments needs to be True as we are using Tomcat 9.
4. Create a folder for the CGI files in
webapps\ROOT\WEB-INF\cgi and add a file ism.bat with the following contents:
echo Content-Type: text/plain
5. We are all done now; start the server and move to
http://localhost:8080/cgi/ism.bat?&dir to check if the server is working.
6. Here, we found the RCE now to get the reverse shell using netcat start server on attacker machine with nc.exe in the directory and switch on a netcat listener to receive the connection.
7. Now run the
cve-2019-0232.py adding server IP and port in it.
8. We finally got the reverse shell.
Link to Video PoC HERE
- Disable CGI support (it is disabled by default).
- Users should set the CGI Servlet initialization parameter enableCmdLineArguments to false to prevent possible exploitation of CVE-2019–0232.
- Apache implemented “regex” pattern
[[a-zA-Z0-9\Q-_.\\/:\E]+]to prevent input from executing as commands on Windows systems.
Thanks for your patience, Hope you enjoyed reading. Happy Hacking…