Deconstructing Apache Tomcat JSP Upload Remote Code Execution (CVE-2017-12615)

By Wei Gao | Here, at the Application and Threat Intelligence Research Center, we explore security threats to better understand how they work so we can replicate them for use with our BreakingPoint security test solution. Let’s take a deeper look into the Apache Tomcat JSP Upload vulnerability, which allows attackers to upload arbitrary files to the Tomcat application server by using the HTTP PUT method. This vulnerability is due to the DefaultServlet read-only parameter being configured to false in conf/web.xml. When any request file’s extension is .jsp or /.jspx, Tomcat will use DefaultServlet to handle it. By uploading a .JSP file to the Tomcat Application Server, an attacker can execute malicious code on the remote machine.

Tomcat 1

Vulnerability Reproduce

Set up Metasploit multi handler and use jsp_shel_reverse_tcp as the payload.

Tomcat 2

Proof of Concept (PoC)

Tomcat 3

This PoC will generate a JSP reverse tcp shell by using msfvenom, and use an HTTP PUT method to upload it to the Tomcat server. Here, we use the /sh4.jsp/ in HTTP put request. Tomcat will create a JSP web shell called sh4.jsp in the server. After successfully uploading the shell, use an HTTP GET request to get the jsp web shell file and to get the reverse shell in Metasploit listener.

Tomcat 4

To provide valuable strikes to our customers, we offer this exploit in our BreakingPoint system. The strike will try to use an HTTP PUT method to upload a non-malicious jsp file to the Tomcat server. After running the strike, it will generate a pcap like this:

Tomcat 5

Tomcat 6

The strike uploads a JSP file with a random name. In this example, it is BvGhDVR.jsp. This strike is deployed in our upcoming ATI release.

Leverage Subscription Service to Stay Ahead of Attacks

The BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-monthly updates of the latest applications and threats.

References

[1] http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12615

limit
3