Tomcat remote code execution vulnerability flaws bug research CVE-2017-12615 and patch Bypass-vulnerability warning-the black bar safety net

9 on 19 May, Tencent Cloud Network Security intermediate monitoring to an Apache Tomcat fix the 2 serious has the rest of the vulnerability flaws of the bug, the separation of: information leakage vulnerability flaws bug（CVE-2017-12616, the long distance code to perform vulnerability flaws bug（CVE-2017-12615, and in some scenarios, the invasion of the attacker will be separated through the process of these two vulnerabilities flaws bug to get the user on the server the JSP file source code, or via the process the core structure of the intrusion pleadingly, to the user server to upload a malicious Trojan virus JSP file, via the process of uploading a JSP file, may be in the user server on fulfilling arbitrary whims of the code.
Cloud peak laboratory through a process to deal with the vulnerability flaws of the bug Description, to build vulnerability flaws in the bug case, and its cessation of reproduction. This vulnerability flaws bug for high-risk vulnerabilities flaws bug, even if the length of the acquiescence set up the equipment and fittings, but once the existence of the vulnerability flaws of the bug, then the invasion of the attacker to win upload Webshell, and moderation of the server.
Reproduction
Based on the description in the Windows Server, the readonly parameter is set to false, you can via the process PUT method to create a JSP file, and the ability to perform arbitrary whims of the code.
Via the process of browsing conf/web.xml file, be able to invention:
! [](/Article/UploadPic/2017-9/2017920213434942. jpg? www. myhack58. com)
Acquiescence readonly to true, when the readonly is set to false, it is possible via the process of PUT / DELETE to stop the file manipulation.
Set the equipment furnished readonly to false:
! [](/Article/UploadPic/2017-9/2017920213434389. jpg? www. myhack58. com)
!
Start Tomcat, the application PUT to entreat the creation of files:
!
! [](/Article/UploadPic/2017-9/2017920213434274. png? www. myhack58. com)
Remind the 404’s. Via the process depicted in the Windows is affected, can be combined with Windows features. One is the NTFS file stream, and the second is the file name of the coherence defined, such as the Windows file name cannot be spaces at the beginning to bypass the limited:
!
! [](/Article/UploadPic/2017-9/2017920213434573. png? www. myhack58. com)
!
! [](/Article/UploadPic/2017-9/2017920213434996. png? www. myhack58. com)
Visit the invention can be disorders input:
!
! [](/Article/UploadPic/2017-9/2017920213434190. png? www. myhack58. com)
Elucidating
Tomcat Servlet is in conf/web.xml set the equipment furnished, through the process of setting equipment decoration file shows that, when the name suffix . jsp and . jspx the moment, is via the process of JspServlet disposal pleadingly:
! [](/Article/UploadPic/2017-9/2017920213434991. jpg? www. myhack58. com)
And other dynamic files is via the process DefaultServlet disposal:
! [](/Article/UploadPic/2017-9/2017920213434890. jpg? www. myhack58. com)
!
Can be informed that“1. jsp ”at the end there is a and the spaces can not be marriage to the JspServlet, but will cross by the DefaultServlet place position. When disposal a PUT pleading when:
!
! [](/Article/UploadPic/2017-9/2017920213434760. jpg? www. myhack58. com)

[1] [2] next