![]() ![]() However, if the “ passShellEnvironment” parameter is set to true, the variables from the parent process will be passed through and you can call any command in PATH as well as view those variables. This also means that you would need to spell out the directory path of the command you are trying to run. That means that if you run “set”, you will not see any environment variables other than those set by Tomcat itself. Trigger the following URLs and observe the dir command being run: Additional Notes – Environment Variables and Pathīy default, Tomcat doesn’t pass all of the environment variables from the parent process that runs Tomcat itself. Run Tomcat via the following command: cd binĩ. Place the following text into a batch file located in “webapps\ROOT\WEB-INF\cgi\test.bat” offĨ. Create a folder for the CGI files: mkdir webapps\ROOT\WEB-INF\ cgiħ. Enable the CGI servlet by removing comments around this – you also need to change the URL pattern to match the one in the previous step (“cgi”): Ħ. Modify conf\web.xml to enable the CGI Servlet by removing the comments around line 387 as follows and adding the following parameters ( enableCmdLineArguments is only needed for Tomcat 9): ĥ. Modify the conf\context.xml file on line 19, to enable privileged context: Ĥ. Download a vulnerable version of Tomcat and extract.ģ. Install a Java Runtime Environment (JRE) in Windows.Ģ. Additional information about why this issue is specific to the Windows JRE can be found in this blog post by Markus Wulftange. A partial list of these characters can be found here and here. Neither Apache Tomcat or the Windows JRE perform any kind of input validation for these special characters. ![]() This happens because “cmd.exe” performs interpolation on some special characters before execution which can cause other shell commands to be called. When CGI support is enabled in Apache Tomcat in Windows, and command line argument passing is enabled, it is possible to cause command injection via parameter interpolation when calling a batch file (*.bat / *.cmd). The actual execution of the CGI scripts happens via Java Runtime Environment (JRE)’s class, exec() function. This servlet also parses URL parameters and translates them into command line arguments. The protocol itself is defined in RFC 3875.Īpache Tomcat supports execution of CGI scripts / programs in a non-default configuration via a special CGI servlet. ![]() This protocol also allows passing of command line arguments to the script or program being executed via URL parameters. Vulnerability DetailsĬommon Gateway Interface (CGI) is a standard protocol to allow web servers to execute command line programs / scripts via web requests. CVE-2019-0232 has been assigned to track this issue. Users are encouraged to upgrade as soon as possible. The vendor released a fix in Tomcat versions 7.0.94, 8.5.40 and 9.0.19. This is only exploitable when running on Windows in a non-default configuration in conjunction with batch files. Apache Tomcat has a vulnerability in the CGI Servlet which can be exploited to achieve remote code execution (RCE). ![]()
0 Comments
Leave a Reply. |