Vulnerabilities > CVE-2007-0774 - Unspecified vulnerability in Apache Tomcat JK web Server Connector 1.2.19/1.2.20
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute arbitrary code via a long URL that triggers the overflow in a URI worker map routine.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 2 |
Exploit-Db
description | Apache mod_jk 1.2.20 Buffer Overflow. CVE-2007-0774. Remote exploit for windows platform |
id | EDB-ID:16798 |
last seen | 2016-02-02 |
modified | 2010-07-25 |
published | 2010-07-25 |
reporter | metasploit |
source | https://www.exploit-db.com/download/16798/ |
title | Apache mod_jk 1.2.20 - Buffer Overflow |
Metasploit
description | This is a stack buffer overflow exploit for mod_jk 1.2.20. Should work on any Win32 OS. |
id | MSF:EXPLOIT/WINDOWS/HTTP/APACHE_MODJK_OVERFLOW |
last seen | 2020-06-14 |
modified | 2017-07-24 |
published | 2007-05-22 |
references | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0774 |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/apache_modjk_overflow.rb |
title | Apache mod_jk 1.2.20 Buffer Overflow |
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_CF86C644CB6C11DB8E9D000C6EC775D9.NASL description TippingPoint and The Zero Day Initiative reports : This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache Tomcat JK Web Server Connector. Authentication is not required to exploit this vulnerability. The specific flaw exists in the URI handler for the mod_jk.so library, map_uri_to_worker(), defined in native/common/jk_uri_worker_map.c. When parsing a long URL request, the URI worker map routine performs an unsafe memory copy. This results in a stack overflow condition which can be leveraged to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 24770 published 2007-03-06 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/24770 title FreeBSD : mod_jk -- long URL stack overflow vulnerability (cf86c644-cb6c-11db-8e9d-000c6ec775d9) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(24770); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:39"); script_cve_id("CVE-2007-0774"); script_name(english:"FreeBSD : mod_jk -- long URL stack overflow vulnerability (cf86c644-cb6c-11db-8e9d-000c6ec775d9)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "TippingPoint and The Zero Day Initiative reports : This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache Tomcat JK Web Server Connector. Authentication is not required to exploit this vulnerability. The specific flaw exists in the URI handler for the mod_jk.so library, map_uri_to_worker(), defined in native/common/jk_uri_worker_map.c. When parsing a long URL request, the URI worker map routine performs an unsafe memory copy. This results in a stack overflow condition which can be leveraged to execute arbitrary code." ); script_set_attribute( attribute:"see_also", value:"http://tomcat.apache.org/security-jk.html" ); # http://www.zerodayinitiative.com/advisories/ZDI-07-008.html script_set_attribute( attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-07-008.html" ); # https://vuxml.freebsd.org/freebsd/cf86c644-cb6c-11db-8e9d-000c6ec775d9.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?b794f640" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache mod_jk 1.2.20 Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mod_jk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:mod_jk-ap2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/03/02"); script_set_attribute(attribute:"patch_publication_date", value:"2007/03/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/03/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"mod_jk-ap2>=1.2.19<1.2.21")) flag++; if (pkg_test(save_report:TRUE, pkg:"mod_jk>=1.2.19<1.2.21")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family CGI abuses NASL id MOD_JK_LONG_URL_OVERFLOW.NASL description According to its banner, the version of the Apache mod_jk module in use on the remote web server contains a buffer overflow vulnerability. An unauthenticated, remote attacker may be able to exploit this flaw by sending a long URL request to crash the affected service or execute arbitrary code on the remote host, subject to the privileges of the web server user id. last seen 2020-06-01 modified 2020-06-02 plugin id 24813 published 2007-03-15 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24813 title Apache mod_jk Long URL Worker Map Stack Remote Overflow NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200703-16.NASL description The remote host is affected by the vulnerability described in GLSA-200703-16 (Apache JK Tomcat Connector: Remote execution of arbitrary code) ZDI reported an unsafe memory copy in mod_jk that was discovered by an anonymous researcher in the map_uri_to_worker function of native/common/jk_uri_worker_map.c . Impact : A remote attacker can send a long URL request to an Apache server using Tomcat. That can trigger the vulnerability and lead to a stack-based buffer overflow, which could result in the execution of arbitrary code with the permissions of the Apache user. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 24841 published 2007-03-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24841 title GLSA-200703-16 : Apache JK Tomcat Connector: Remote execution of arbitrary code
Oval
accepted | 2015-04-20T04:02:25.877-04:00 | ||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||
contributors |
| ||||||||||||||||||||
description | Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute arbitrary code via a long URL that triggers the overflow in a URI worker map routine. | ||||||||||||||||||||
family | unix | ||||||||||||||||||||
id | oval:org.mitre.oval:def:5513 | ||||||||||||||||||||
status | accepted | ||||||||||||||||||||
submitted | 2008-10-30T17:10:24.000-04:00 | ||||||||||||||||||||
title | HP-UX running Apache, Remote Arbitrary Code Execution, Cross Site Scripting (XSS) | ||||||||||||||||||||
version | 45 |
Packetstorm
data source | https://packetstormsecurity.com/files/download/57551/apache_modjk_overflow.rb.txt |
id | PACKETSTORM:57551 |
last seen | 2016-12-05 |
published | 2007-07-10 |
reporter | Nicob |
source | https://packetstormsecurity.com/files/57551/apache_modjk_overflow.rb.txt.html |
title | apache_modjk_overflow.rb.txt |
Redhat
advisories |
| ||||
rpms |
|
Saint
bid | 22791 |
description | Apache Tomcat JK Web Server Connector URI worker map buffer overflow |
id | web_mod_jkver |
osvdb | 33855 |
title | tomcat_jk_connector_worker_map |
type | remote |
References
- http://www.zerodayinitiative.com/advisories/ZDI-07-008.html
- http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html
- http://tomcat.apache.org/security-jk.html
- http://www.gentoo.org/security/en/glsa/glsa-200703-16.xml
- http://www.redhat.com/support/errata/RHSA-2007-0096.html
- http://www.securityfocus.com/bid/22791
- http://securitytracker.com/id?1017719
- http://secunia.com/advisories/24398
- http://secunia.com/advisories/24558
- http://secunia.com/advisories/27037
- http://www.cisco.com/en/US/products/products_security_advisory09186a008093f040.shtml
- http://secunia.com/advisories/28711
- http://www.vupen.com/english/advisories/2007/3386
- http://www.vupen.com/english/advisories/2008/0331
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795
- http://www.vupen.com/english/advisories/2007/0809
- https://exchange.xforce.ibmcloud.com/vulnerabilities/32794
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5513
- http://www.securityfocus.com/archive/1/461734/100/0/threaded
- https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E