Skip to content

Commit

Permalink
Merge pull request #104 from mindedsecurity:main
Browse files Browse the repository at this point in the history
PiperOrigin-RevId: 706593499
Change-Id: I44e56ebfa7faef3fd95a03cfc2b0429e243c922e
  • Loading branch information
copybara-github committed Dec 16, 2024
2 parents 70a352f + d21a43a commit 2d0a83c
Show file tree
Hide file tree
Showing 3 changed files with 4,769 additions and 0 deletions.
30 changes: 30 additions & 0 deletions apache/tomcat/CVE-2017-12617/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
FROM openjdk:8-jre-slim

ARG CONFIG
ENV CONFIG=${CONFIG}

# setenv
ENV CATALINA_HOME=/usr/local/tomcat
ENV PATH=$CATALINA_HOME/bin:$PATH
ENV TOMCAT_VERSION=8.5.16

RUN mkdir -p $CATALINA_HOME

# download Apache Tomcat 8.5.16
RUN apt-get update && apt-get install -y curl && \
curl -fSL "https://archive.apache.org/dist/tomcat/tomcat-8/v${TOMCAT_VERSION}/bin/apache-tomcat-${TOMCAT_VERSION}.tar.gz" -o /tmp/tomcat.tar.gz && \
tar -xvf /tmp/tomcat.tar.gz -C ${CATALINA_HOME} --strip-components=1

# set perms
RUN chmod +x $CATALINA_HOME/bin/*.sh

# depending on CONFIG, we might have vulnerable or not vulnerable testbed
COPY ./web.xml ${CATALINA_HOME}/conf/web.xml
RUN if [ "$CONFIG" = "vuln" ]; then \
sed -i 's/<param-name>readonly<\/param-name><param-value>true<\/param-value>/<param-name>readonly<\/param-name><param-value>false<\/param-value>/' \
/usr/local/tomcat/conf/web.xml; \
fi;

EXPOSE 8080

CMD ["catalina.sh", "run"]
50 changes: 50 additions & 0 deletions apache/tomcat/CVE-2017-12617/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# Apache Tomcat RCE Via JSP Upload (CVE-2017-12617)

This directory contains the Dockerfile that can be used to build an
Apache Tomcat instance vulnerable to CVE-2017-12617.

Specifically, the dockerfile takes an optional build argument named
`CONFIG`. If this argument is set to the value `vuln`, the build will
produce a vulnerable service. In all other cases, the build will
produce a non vulnerable service.

In the vulnerable configuration, the `readonly` property in `web.xml`
is set to `false`. To build a vulnerable version of the service
proceed as follows.

```sh
docker build --build-arg CONFIG=vuln -t tomcat .
```

In the non vulnerable configuration, the `readonly` property in
`web.xml` is set to `true`. To build a non vulnerable version of the
service proceed as follows.

```sh
docker build -t tomcat .
```

Regardless of how the image has been built, to start the container
proceed as follows.

```sh
docker run --name tomcat --rm -d -p127.0.0.1:8080:8080 tomcat
```

The container is named `tomcat` and will listen to the endpoint
`127.0.0.1:8080`. Once the testing has been done, stop the container
with

```sh
docker stop tomcat
```

**Apache Version**|**Affected Release Versions**
:-----:|:-----:|
Apache Tomcat 9|9.0.0 M1 to 9.0.0
Apache Tomcat 8|8.0.0 RC1 to 8.0.46 and 8.5.0 to 8.5.22
Apache Tomcat 7|7.0.0 to 7.0.81

## References
* https://nvd.nist.gov/vuln/detail/cve-2017-12617
* https://www.exploit-db.com/exploits/42966
Loading

0 comments on commit 2d0a83c

Please sign in to comment.