exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apache Tomcat 7.0.39 Remote Code Execution

Apache Tomcat 7.0.39 Remote Code Execution
Posted Sep 10, 2014
Authored by Mark Thomas, Pierre Ernst | Site tomcat.apache.org

In very limited circumstances, it was possible for an attacker to upload a malicious JSP to a Tomcat server and then trigger the execution of that JSP. While Remote Code Execution would normally be viewed as a critical vulnerability, the circumstances under which this is possible are, in the view of the Tomcat security team, sufficiently limited that this vulnerability is viewed as important. Apache Tomcat versions 7.0.0 through 7.0.39 are affected.

tags | advisory, remote, code execution
advisories | CVE-2013-4444
SHA-256 | b2ea73c8b10cd079ee3352350d5c7fa19457771401cedd12bbf9a02e13493849

Apache Tomcat 7.0.39 Remote Code Execution

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2013-4444 Remote Code Execution

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 7.0.0 to 7.0.39

Description:
In very limited circumstances, it was possible for an attacker to upload
a malicious JSP to a Tomcat server and then trigger the execution of
that JSP. While Remote Code Execution would normally be viewed as a
critical vulnerability, the circumstances under which this is possible
are, in the view of the Tomcat security team, sufficiently limited that
this vulnerability is viewed as important.
For this attack to succeed all of the following requirements must be met:
a) Using Oracle Java 1.7.0 update 25 or earlier (or any other Java
implementation where java.io.File is vulnerable to null byte
injection).
b) A web application must be deployed to a vulnerable version of Tomcat
(see previous section).
c) The web application must use the Servlet 3.0 File Upload feature.
d) A file location within a deployed web application must be writeable
by the user the Tomcat process is running as. The Tomcat security
documentation recommends against this.
e) A custom listener for JMX connections (e.g. the JmxRemoteListener
that is not enabled by default) must be configured and be able to
load classes from Tomcat's common class loader (i.e. the custom JMX
listener must be placed in Tomcat's lib directory)
f) The custom JMX listener must be bound to an address other than
localhost for a remote attack (it is bound to localhost by default).
If the custom JMX listener is bound to localhost, a local attack
will still be possible.

Note that requirements b) and c) may be replaced with the following
requirement:
g) A web application is deployed that uses Apache Commons File Upload
1.2.1 or earlier.
In this case a similar vulnerability may exist on any Servlet container,
not just Apache Tomcat.

Mitigation:
This vulnerability may be mitigated by using any one of the following
mitigations:
- - Upgrade to Oracle Java 1.7.0 update 40 or later (or any other Java
implementation where java.io.File is not vulnerable to null byte
injection).
- - Use OS file permissions to prevent the process Tomcat is running as
from writing to any location within a deployed application.
- - Disable any custom JMX listeners
- - Upgrade to Apache Tomcat 7.0.40 or later

Credit:
This issue was identified by Pierre Ernst of the VMware Security
Engineering, Communications & Response group (vSECR) and reported to
the Tomcat security team via the Pivotal security team.

References:
[1] http://tomcat.apache.org/security-7.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJUEFl4AAoJEBDAHFovYFnnR3cQAL034ZrbUeBcJ4zotNp5+ea2
llNatC3MUlg/vZ2qG8Qo4xxbdS4F53cpu90fFhKm+dFzIiRhZeHROYDv6Lu1biSu
Nvq0YXV6KVJ9Js4G6HFilhy3vownvn/hMAjzmPojSYjWO5slXNfFvAlwyRrGt0Cp
t5rUh4QNavhgO4m0HXJJLg+PNlSKsnGdra+0gWmq8YKtKotgu24SbPq/p3HP7TuJ
nnMjx4A6r2LcoghL/nFAPp2ZwgBCtm67osObJ1uMxYhZ2I/3MztFYpSKvfVONuUK
rL265wmrKLvvDdozd/Aw2d2poXdSO/oWeuhKbbzYOxpUT6iRzf+BkPUR99e6Rqso
lOfLoAYuzYfK4rW/ooxVNKnHMhs+0BVfNZoclKCDSvz+a9dIVS5XD6KcyJQ3uv12
ujyTGaGhLuS/ciAVS372Dx8H0/mfd5nZCkYL6NDyzSWSmb5eG4XxqrLi77yByvAT
ulSAyg1UWk8sRgQ4AY3belH3jDiN1rHSWJAaB+WVwszQdCe4iXgDyB1u4ES22oAN
Ymrg5l7tLQ8/9LyMvlQ0tE4f+OYE6kki6e4JMc2cMqPL/rcjiUnLWZ7YUyx92RM1
LRt9QhMd1h3Uwle7a7LxqJCGf/rIPwRmrjTYYWt43np1Adx7y2RuZOTDjEY98sN3
oCLjuSCalVcBX9hGaJ7n
=98BB
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close