Tomcat, an open-source Java servlet container based on Apache, is susceptible to remote code execution when used in a custom configuration. If a parameter called enableCmdLineArguments is enabled in CGI servlet, a bug can be introduced to tamper with the command line arguments. This vulnerability exploits the method used to pass the command line arguments by JRE.
Apache Tomcat utilizes Common Gateway Interface (CGI) protocol to pass on the command line scripts by web servers. While CGI is advantageous in that it is platform-independent, it has no vetting mechanism for the code that is passed on. Since Windows can only accept one command line string per process, applications wrap their commands into one string. A subprocess then splits the string and passes them as arguments. In Java Runtime Environment (JRE), Windows does not validate the input arguments and is vulnerable to code injection. An attacker can bug the splitting process and let Windows parse the arguments in ways unintended by the application. For example, a metacharacter like ‘&’ can be used to split the commands, if it has a preceding quotation mark (“). In this case, the malicious code, that is injected after the ‘&’ character, is executed. In the string below, systeminfo is executed as a separate command following the escaped quotation mark(“) and the ‘&’ metacharacter. The intended separation should have occurred only at the ending quotation mark. foo.bat “pwd \”&systeminfo” 0: [foo.bat] 1: [pwd] 2: [systeminfo] The vulnerability can also cause a denial of service. Because Apache Tomcat waits for the Windows process to complete, a long-running command can be deployed to trigger the denial of service. In addition to running Apache Tomcat on Windows with enableCmdLineArguments enabled, a successful exploit needs the following: executed CGI scripts are only batch files and “executable” parameter is empty “privileged” is set to “true”
Windows running any of the following versions of Tomcat: Tomcat 9 – versions 9.0.0.M1 through 9.0.17 Tomcat 8 – versions 8.5.0 to 8.5.39 Tomcat 7 – versions 7.0.0 to 7.0.93
Run the following patched versions of Tomcat on Windows: Apache Tomcat 9 – versions 9.0.18 or later Apache Tomcat 8 – versions 8.5.40 or later Apache Tomcat 7 – versions 7.0.93 or later
The affected versions can be safely used if: the default configuration is used CGI is disabled CGI is enabled, but “enableCmdLineArguments” parameter is set to “false“