Vulnerabilities > CVE-2019-0232 - OS Command Injection vulnerability in Apache Tomcat
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
- Command Delimiters An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
- Exploiting Multiple Input Interpretation Layers An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
- Argument Injection An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
- OS Command Injection In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
Exploit-Db
| id | EDB-ID:47073 |
| last seen | 2019-07-03 |
| modified | 2019-07-03 |
| published | 2019-07-03 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/47073 |
| title | Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution (Metasploit) |
Metasploit
| description | This module exploits a vulnerability in Apache Tomcat's CGIServlet component. When the enableCmdLineArguments setting is set to true, a remote user can abuse this to execute system commands, and gain remote code execution. |
| id | MSF:EXPLOIT/WINDOWS/HTTP/TOMCAT_CGI_CMDLINEARGS |
| last seen | 2020-06-14 |
| modified | 2019-08-02 |
| published | 2019-06-18 |
| references |
|
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/tomcat_cgi_cmdlineargs.rb |
| title | Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability |
Nessus
NASL family Web Servers NASL id TOMCAT_7_0_94.NASL description The version of Tomcat installed on the remote Windows host is prior to 7.0.94. It is, therefore, affected by a remote code execution vulnerability due to a bug in the way the JRE passes command line arguments to Windows. An unauthenticated, remote attacker can exploit this to execute arbitrary commands. Additionally, it is affected by a cross-site (XSS) scripting vulnerability as the SSI printenv command echoes user provided data without proper escaping. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-03-18 modified 2019-04-16 plugin id 124064 published 2019-04-16 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124064 title Apache Tomcat 7.0.0 < 7.0.94 Remote Code Execution Vulnerability (Windows) code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(124064); script_version("1.11"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/11"); script_cve_id("CVE-2019-0221", "CVE-2019-0232"); script_bugtraq_id(107906); script_name(english:"Apache Tomcat 7.0.0 < 7.0.94 Remote Code Execution Vulnerability (Windows)"); script_set_attribute(attribute:"synopsis", value: "The remote Windows Apache Tomcat server is affected by a remote code execution vulnerability"); script_set_attribute(attribute:"description", value: "The version of Tomcat installed on the remote Windows host is prior to 7.0.94. It is, therefore, affected by a remote code execution vulnerability due to a bug in the way the JRE passes command line arguments to Windows. An unauthenticated, remote attacker can exploit this to execute arbitrary commands. Additionally, it is affected by a cross-site (XSS) scripting vulnerability as the SSI printenv command echoes user provided data without proper escaping. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://github.com/apache/tomcat/commit/7f0221b"); # https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.94 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?afa7a4e1"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache Tomcat version 7.0.94 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0232"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/03"); script_set_attribute(attribute:"patch_publication_date", value:"2019/04/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/16"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat"); script_set_attribute(attribute:"agent", value:"all"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("tomcat_error_version.nasl", "os_fingerprint.nasl", "tomcat_win_installed.nbin", "apache_tomcat_nix_installed.nbin"); script_require_keys("installed_sw/Apache Tomcat", "Host/OS"); exit(0); } include('tomcat_version.inc'); # Vuln only on Windows os = get_kb_item_or_exit('Host/OS'); if ('Windows' >!< os) audit(AUDIT_OS_NOT, 'Windows', os); conf = get_kb_item('Host/OS/Confidence'); if ((conf <= 70) && (report_paranoia < 2 )) { exit(1, 'Can\'t determine the host\'s OS with sufficient confidence and \'show potential false alarms\' is not enabled.'); } tomcat_check_version(fixed: '7.0.94', min:'7.0.0', severity:SECURITY_HOLE, granularity_regex: "^7(\.0)?$", xss:TRUE);NASL family Web Servers NASL id TOMCAT_9_0_18.NASL description The version of Tomcat installed on the remote Windows host is prior to 9.0.19. It is, therefore, affected by a remote code execution vulnerability due to a bug in the way the JRE passes command line arguments to Windows. An unauthenticated, remote attacker can exploit this to execute arbitrary commands. Additionally, it is affected by a cross-site (XSS) scripting vulnerability as the SSI printenv command echoes user provided data without proper escaping. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-03-18 modified 2019-04-15 plugin id 124058 published 2019-04-15 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124058 title Apache Tomcat 9.0.0.M1 < 9.0.19 Remote Code Execution Vulnerability (Windows) NASL family Web Servers NASL id TOMCAT_8_5_40.NASL description The version of Tomcat installed on the remote Windows host is prior to 8.5.40. It is, therefore, affected by a remote code execution vulnerability due to a bug in the way the JRE passes command line arguments to Windows. An unauthenticated, remote attacker can exploit this to execute arbitrary commands. Additionally, it is affected by a cross-site (XSS) scripting vulnerability as the SSI printenv command echoes user provided data without proper escaping. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-03-18 modified 2019-04-16 plugin id 124063 published 2019-04-16 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124063 title Apache Tomcat 8.5.0 < 8.5.40 Remote Code Execution Vulnerability (Windows) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-3929.NASL description Updated Red Hat JBoss Web Server 5.2.0 packages are now available for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.2 serves as a replacement for Red Hat JBoss Web Server 5.1, and includes bug fixes, enhancements, and component upgrades, which are documented in the Release Notes, linked to in the References. Security Fix(es) : * openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) (CVE-2018-5407) * openssl: 0-byte record padding oracle (CVE-2019-1559) * tomcat: HTTP/2 connection window exhaustion on write, incomplete fix of CVE-2019-0199 (CVE-2019-10072) * tomcat: XSS in SSI printenv (CVE-2019-0221) * tomcat: Apache Tomcat HTTP/2 DoS (CVE-2019-0199) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-03-18 modified 2019-11-22 plugin id 131214 published 2019-11-22 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131214 title RHEL 6 / 7 / 8 : JBoss Web Server (RHSA-2019:3929) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2019-1208.NASL description When the default servlet in Apache Tomcat returned a redirect to a directory (e.g. redirecting to last seen 2020-06-01 modified 2020-06-02 plugin id 125294 published 2019-05-21 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125294 title Amazon Linux AMI : tomcat8 (ALAS-2019-1208)
Packetstorm
| data source | https://packetstormsecurity.com/files/download/153506/tomcat_cgi_cmdlineargs.rb.txt |
| id | PACKETSTORM:153506 |
| last seen | 2019-07-03 |
| published | 2019-07-02 |
| reporter | sinn3r |
| source | https://packetstormsecurity.com/files/153506/Apache-Tomcat-CGIServlet-enableCmdLineArguments-Remote-Code-Execution.html |
| title | Apache Tomcat CGIServlet enableCmdLineArguments Remote Code Execution |
Redhat
| advisories |
|
The Hacker News
| id | THN:A1FA44D6DEC0509E076C54E227E6E6A1 |
| last seen | 2019-04-16 |
| modified | 2019-04-16 |
| published | 2019-04-15 |
| reporter | The Hacker News |
| source | https://thehackernews.com/2019/04/apache-tomcat-security-flaw.html |
| title | Apache Tomcat Patches Important Remote Code Execution Flaw |
References
- https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/
- https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html
- http://www.securityfocus.com/bid/107906
- https://security.netapp.com/advisory/ntap-20190419-0001/
- https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-784
- http://seclists.org/fulldisclosure/2019/May/4
- https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/
- https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/
- https://www.synology.com/security/advisory/Synology_SA_19_17
- http://packetstormsecurity.com/files/153506/Apache-Tomcat-CGIServlet-enableCmdLineArguments-Remote-Code-Execution.html
- https://access.redhat.com/errata/RHSA-2019:1712
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://lists.apache.org/thread.html/5f297a4b9080b5f65a05bc139596d0e437d6a539b25e31d29d028767%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/673b6148d92cd7bc99ea2dcf85ad75d57da44fc322d51f37fb529a2a%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/a6c87a09a71162fd563ab1c4e70a08a103e0b7c199fc391f1c9c4c35%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/52ffb9fbf661245386a83a661183d13f1de2e5779fa23837a08e02ac%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/dd4b325cdb261183dbf5ce913c102920a8f09c26dae666a98309165b%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/96849486813a95dfd542e1618b7923ca945508aaf4a4341f674d83e3%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/f4d48b32ef2b6aa49c8830241a9475da5b46e451f964b291c7a0a715%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E