-
Notifications
You must be signed in to change notification settings - Fork 35
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #104 from mindedsecurity:main
PiperOrigin-RevId: 706593499 Change-Id: I44e56ebfa7faef3fd95a03cfc2b0429e243c922e
- Loading branch information
Showing
3 changed files
with
4,769 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
FROM openjdk:8-jre-slim | ||
|
||
ARG CONFIG | ||
ENV CONFIG=${CONFIG} | ||
|
||
# setenv | ||
ENV CATALINA_HOME=/usr/local/tomcat | ||
ENV PATH=$CATALINA_HOME/bin:$PATH | ||
ENV TOMCAT_VERSION=8.5.16 | ||
|
||
RUN mkdir -p $CATALINA_HOME | ||
|
||
# download Apache Tomcat 8.5.16 | ||
RUN apt-get update && apt-get install -y curl && \ | ||
curl -fSL "https://archive.apache.org/dist/tomcat/tomcat-8/v${TOMCAT_VERSION}/bin/apache-tomcat-${TOMCAT_VERSION}.tar.gz" -o /tmp/tomcat.tar.gz && \ | ||
tar -xvf /tmp/tomcat.tar.gz -C ${CATALINA_HOME} --strip-components=1 | ||
|
||
# set perms | ||
RUN chmod +x $CATALINA_HOME/bin/*.sh | ||
|
||
# depending on CONFIG, we might have vulnerable or not vulnerable testbed | ||
COPY ./web.xml ${CATALINA_HOME}/conf/web.xml | ||
RUN if [ "$CONFIG" = "vuln" ]; then \ | ||
sed -i 's/<param-name>readonly<\/param-name><param-value>true<\/param-value>/<param-name>readonly<\/param-name><param-value>false<\/param-value>/' \ | ||
/usr/local/tomcat/conf/web.xml; \ | ||
fi; | ||
|
||
EXPOSE 8080 | ||
|
||
CMD ["catalina.sh", "run"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
# Apache Tomcat RCE Via JSP Upload (CVE-2017-12617) | ||
|
||
This directory contains the Dockerfile that can be used to build an | ||
Apache Tomcat instance vulnerable to CVE-2017-12617. | ||
|
||
Specifically, the dockerfile takes an optional build argument named | ||
`CONFIG`. If this argument is set to the value `vuln`, the build will | ||
produce a vulnerable service. In all other cases, the build will | ||
produce a non vulnerable service. | ||
|
||
In the vulnerable configuration, the `readonly` property in `web.xml` | ||
is set to `false`. To build a vulnerable version of the service | ||
proceed as follows. | ||
|
||
```sh | ||
docker build --build-arg CONFIG=vuln -t tomcat . | ||
``` | ||
|
||
In the non vulnerable configuration, the `readonly` property in | ||
`web.xml` is set to `true`. To build a non vulnerable version of the | ||
service proceed as follows. | ||
|
||
```sh | ||
docker build -t tomcat . | ||
``` | ||
|
||
Regardless of how the image has been built, to start the container | ||
proceed as follows. | ||
|
||
```sh | ||
docker run --name tomcat --rm -d -p127.0.0.1:8080:8080 tomcat | ||
``` | ||
|
||
The container is named `tomcat` and will listen to the endpoint | ||
`127.0.0.1:8080`. Once the testing has been done, stop the container | ||
with | ||
|
||
```sh | ||
docker stop tomcat | ||
``` | ||
|
||
**Apache Version**|**Affected Release Versions** | ||
:-----:|:-----:| | ||
Apache Tomcat 9|9.0.0 M1 to 9.0.0 | ||
Apache Tomcat 8|8.0.0 RC1 to 8.0.46 and 8.5.0 to 8.5.22 | ||
Apache Tomcat 7|7.0.0 to 7.0.81 | ||
|
||
## References | ||
* https://nvd.nist.gov/vuln/detail/cve-2017-12617 | ||
* https://www.exploit-db.com/exploits/42966 |
Oops, something went wrong.