Downloading binary version of vulnerable tomcat 6.0.0 - 6.0.20 to exploit the vulnerabilty CVE-2009-2693

[Ragini <ra...@gmail.com>]

Hi,

I want to try to exploit tomcat vulnerability CVE-2009-2693. From site 
it says that the affected version are from 6.0.0 to 6.0.20. I could not 
find any of this on official apache tomcat website. I want to do some 
tests on that vulnerable versions.

*Could you please guide me from where I can download the tomcat version 
which is vulnerable to CVE-2009-2693(Arbitrary file deletion and /or 
alteration on deploy) ? **Pl note that I use ubuntu 12.0.4.*

Basically this is how I plan to exploit that vulnerability:

1) I insert code to create a directory in user's home directory in one 
of the java class of my web application.
2) I deploy the war file to tomcat's web-apps dir.
3)I start the tomcat with security manager and it should then create a 
directory in user's home directory.

I would really appreciate your help regarding this.

Thanks.

Re: Downloading binary version of vulnerable tomcat 6.0.0 - 6.0.20 to exploit the vulnerabilty CVE-2009-2693

[Daniel Mikusa <dm...@vmware.com>]

On Sep 25, 2012, at 7:15 AM, Ragini wrote:

> Hi,
> 
> I want to try to exploit tomcat vulnerability CVE-2009-2693. From site it says that the affected version are from 6.0.0 to 6.0.20. I could not find any of this on official apache tomcat website. I want to do some tests on that vulnerable versions.
> 
> *Could you please guide me from where I can download the tomcat version which is vulnerable to CVE-2009-2693(Arbitrary file deletion and /or alteration on deploy) ? **Pl note that I use ubuntu 12.0.4.*

You can download any version you want from the archives.

https://archive.apache.org/dist/tomcat/tomcat-6/

Dan

> 
> Basically this is how I plan to exploit that vulnerability:
> 
> 1) I insert code to create a directory in user's home directory in one of the java class of my web application.
> 2) I deploy the war file to tomcat's web-apps dir.
> 3)I start the tomcat with security manager and it should then create a directory in user's home directory.
> 
> I would really appreciate your help regarding this.
> 
> Thanks.
> 
> 
> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Downloading binary version of vulnerable tomcat 6.0.0 - 6.0.20 to exploit the vulnerabilty CVE-2009-2693

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ragini,

On 9/25/12 9:59 AM, Ragini wrote:
> On 09/25/2012 03:42 PM, Mark Thomas wrote:
>> On 9/25/12 7:15 AM, Ragini wrote:
>>> 1) I insert code to create a directory in user's home directory
>>> in one of the java class of my web application. 2) I deploy the
>>> war file to tomcat's web-apps dir. 3)I start the tomcat with
>>> security manager and it should then create a directory in
>>> user's home directory.
>> 
>> That would be a complete waste of time. You'll be testing the
>> security manager rather than anything to do with CVE-2009-2693.
>> 
>> Either you have failed to read the description of CVE-2009-2693
>> [4] or your have failed to comprehend it.

> may be I have failed to understand it. could u please explain it
> and give me an idea about how can I exploit it actually ?

Why don't you Google for "CVE-2009-2693" and read the description.
It's fairly clear, if not terse. Try reading all of the references
from Mitre. The first reference they have is a mailing list post
written by Mark Thomas which explains the vulnerability as well as
gives references to the svn revisions that fix the vulnerability. By
reading the Mitre report (very short), Mark's post (also quite short),
and the patches, you should be able to get an idea about how to
exploit this vulnerability.

Or you could just think to yourself "oh, it's a WAR-extraction
directory-traversal vulnerability" and figure it out from there. Is
this for a class or something?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBhyU4ACgkQ9CaO5/Lv0PDHSACcCxDl3Cv5xCtpPyuTC4dJ7/Yp
xlMAnj72wasNuQ8f8SqRGk8X1PfvYx4k
=jzU0
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Downloading binary version of vulnerable tomcat 6.0.0 - 6.0.20 to exploit the vulnerabilty CVE-2009-2693

[Ragini <ra...@gmail.com>]

On 09/25/2012 03:42 PM, Mark Thomas wrote:
> On 25/09/2012 12:15, Ragini wrote:
>> Hi,
>>
>> I want to try to exploit tomcat vulnerability CVE-2009-2693. From site
>> it says that the affected version are from 6.0.0 to 6.0.20. I could not
>> find any of this on official apache tomcat website. I want to do some
>> tests on that vulnerable versions.
> Hmm. I find it hard to believe you couldn't find the Tomcat 6 download
> pages [1]. (Although judging by the level of competence your e-mails to
> this list to date have demonstrated, I suppose that is a possibility).
>
> The very first section on that page contains the text:
> "This page provides download links for obtaining the latest version of
> Tomcat 6.0.x, as well as links to the archives of older releases."
>
> Did you read that section? Did you not understand that since you want an
> old release you need to look in the archives?
>
> The following section contains a link [2] the archives. From that point
> it should be obvious.
>
>> *Could you please guide me from where I can download the tomcat version
>> which is vulnerable to CVE-2009-2693(Arbitrary file deletion and /or
>> alteration on deploy) ? **Pl note that I use ubuntu 12.0.4.*
> I'd suggest you use [3].
Is there a particular reason to use 6.0.20 only ?
>> Basically this is how I plan to exploit that vulnerability:
>>
>> 1) I insert code to create a directory in user's home directory in one
>> of the java class of my web application.
>> 2) I deploy the war file to tomcat's web-apps dir.
>> 3)I start the tomcat with security manager and it should then create a
>> directory in user's home directory.
> That would be a complete waste of time. You'll be testing the security
> manager rather than anything to do with CVE-2009-2693.
>
> Either you have failed to read the description of CVE-2009-2693 [4] or
> your have failed to comprehend it.
     may be I have failed to understand it. could u please explain it 
and give me an idea about how can I exploit it actually ?
> You need to ask yourself whether you have the necessary skills and
> understanding to carry out the research you claim you want to perform.
Well I asked and realized that I should not yet give up ! :-)
>
> Mark
>
> [1] http://tomcat.apache.org/download-60.cgi
> [2] http://archive.apache.org/dist/tomcat/tomcat-6
> [3]
> http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.20/bin/apache-tomcat-6.0.20.tar.gz
> [4] http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.24
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Downloading binary version of vulnerable tomcat 6.0.0 - 6.0.20 to exploit the vulnerabilty CVE-2009-2693

[Mark Thomas <ma...@apache.org>]

On 25/09/2012 12:15, Ragini wrote:
> Hi,
> 
> I want to try to exploit tomcat vulnerability CVE-2009-2693. From site
> it says that the affected version are from 6.0.0 to 6.0.20. I could not
> find any of this on official apache tomcat website. I want to do some
> tests on that vulnerable versions.

Hmm. I find it hard to believe you couldn't find the Tomcat 6 download
pages [1]. (Although judging by the level of competence your e-mails to
this list to date have demonstrated, I suppose that is a possibility).

The very first section on that page contains the text:
"This page provides download links for obtaining the latest version of
Tomcat 6.0.x, as well as links to the archives of older releases."

Did you read that section? Did you not understand that since you want an
old release you need to look in the archives?

The following section contains a link [2] the archives. From that point
it should be obvious.

> *Could you please guide me from where I can download the tomcat version
> which is vulnerable to CVE-2009-2693(Arbitrary file deletion and /or
> alteration on deploy) ? **Pl note that I use ubuntu 12.0.4.*

I'd suggest you use [3].

> Basically this is how I plan to exploit that vulnerability:
> 
> 1) I insert code to create a directory in user's home directory in one
> of the java class of my web application.
> 2) I deploy the war file to tomcat's web-apps dir.
> 3)I start the tomcat with security manager and it should then create a
> directory in user's home directory.

That would be a complete waste of time. You'll be testing the security
manager rather than anything to do with CVE-2009-2693.

Either you have failed to read the description of CVE-2009-2693 [4] or
your have failed to comprehend it.

You need to ask yourself whether you have the necessary skills and
understanding to carry out the research you claim you want to perform.

Mark

[1] http://tomcat.apache.org/download-60.cgi
[2] http://archive.apache.org/dist/tomcat/tomcat-6
[3]
http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.20/bin/apache-tomcat-6.0.20.tar.gz
[4] http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.24

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org