Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

XSS in SSI printenv command – Apache Tomcat – CVE-2019-0221

Related Vulnerabilities: CVE-2019-0221  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="48"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#50">By Date</a>
<a href="51"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="48"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#50">By Thread</a>
<a href="51"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">XSS in SSI printenv command – Apache Tomcat – CVE-2019-0221</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Nightwatch Cybersecurity Research &lt;research () nightwatchcybersecurity com&gt;


<em>Date</em>: Mon, 27 May 2019 11:44:41 -0400


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">[Original blog post here:
<a rel="nofollow" href="https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/">https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/</a>]

SUMMARY

Apache Tomcat had a vulnerability in its SSI implementation which
could be used to achieve cross site scripting (XSS). This is only
exploitable if SSI is enabled and the “printenv” directive is used
which is unlikely in a production system.

The vendor has rated this as a Low severity issue. A fix was released
in versions 7.0.94, 8.5.40 and 9.0.19. Users are encouraged to upgrade
as soon as possible. CVE-2019-0221 has been assigned to track this
issue.

VULNERABILITY DETAILS

Server Side Includes (SSI) is a simple scripting language used
server-side in some web servers for functionality like including
files, echoing values of variables and displaying basic information
about files. Note that these ARE NOT environment variables but are
specific to SSI. They either have been set by the user or contain
information about the incoming HTTP request (see full list here:
<a rel="nofollow" href="https://tomcat.apache.org/tomcat-9.0-doc/ssi-howto.html#Variables">https://tomcat.apache.org/tomcat-9.0-doc/ssi-howto.html#Variables</a>).

The “echo” directive prints out value of a single variable while the
“printenv” directive prints out values of all variables. Both of these
directives output HTML. The Apache Tomcat implementation correctly
escapes XSS values when using the “echo”directive but not for the
“printenv” directive. As the result, if an application is using this
directive, an attacker can inject malicious input causing it to output
and cause XSS.

The fix is to add encoding as seen in this commit:
<a rel="nofollow" href="https://github.com/apache/tomcat/commit/15fcd16">https://github.com/apache/tomcat/commit/15fcd16</a>

In order to exploit this, several things have to true:
1. SSI support has to be enabled in Apache Tomcat – either globally or
on a specific web application. It is NOT ENABLED by default.
2. A file with the “printenv” SSI directive must exist within the web
application (usually “.shtml”).
3. That file must be accessible to the attacker.

STEPS TO REPLICATE

1. Install a Java Runtime Environment (JRE) in Windows.
2. Download a vulnerable version of Tomcat and extract.
3. Modify the conf\context.xml file on line 19, to enable privileged
context (this can also be done on individual applications instead of
globally):

Context privileged="true"&gt;

4. Modify conf\web.xml to enable the SSI Servlet as per instructions
here [<a rel="nofollow" href="https://tomcat.apache.org/tomcat-9.0-doc/ssi-howto.html">https://tomcat.apache.org/tomcat-9.0-doc/ssi-howto.html</a>] (this
can also be done on individual applications instead of globally).

5. Put the following code in “webapps/ROOT/ssi/printenv.shtml”:

&lt;html&gt;&lt;head&gt;&lt;title&gt;&lt;/title&gt;&lt;body&gt;
Echo test: &lt;!--#echo var="QUERY_STRING_UNESCAPED" --&gt;&lt;br/&gt;&lt;br/&gt;
Printenv test: &lt;!--#printenv --&gt;
&lt;/body&gt;&lt;/html&gt;

6. Run Tomcat via the following command:

cd bin
catalina run

7. Call the following URLs to observe XSS (may need to use FireFox).
Observe the difference between “echo” directive which escapes properly
and the “printenv” directive which doesn’t escape properly

<a rel="nofollow" href="http://localhost:8080/ssi/printenv.shtml?%3Cbr/%3E%3Cbr/%3E%3Ch1%3EXSS%3C/h1%3E%3Cbr/%3E%3Cbr/%3E">http://localhost:8080/ssi/printenv.shtml?%3Cbr/%3E%3Cbr/%3E%3Ch1%3EXSS%3C/h1%3E%3Cbr/%3E%3Cbr/%3E</a>

<a rel="nofollow" href="http://localhost:8080/printenv.shtml?%3Cscript%3Ealert">http://localhost:8080/printenv.shtml?%3Cscript%3Ealert</a>(%27xss%27)%3C/script%3E

VENDOR RESPONSE

This issue was responsibly reported to the vendor via the EU FOSSA
bounty program operated by Intigriti. The vendor assigned
CVE-2019-0221 to track this issue and provided a fix.

The vendor rated this issue as “Low Impact” on the following basis:
- SSI is disabled by default
- hardly anyone uses SSI
- printenv is really a debug command that you would not expect to find
used in a production system

The vendor also indicated that if there was a lower impact level, they
would have used it as they consider the chances of a production system
being exposed to this vulnerability to be very close to zero.

The vendor indicated that the following versions are vulnerable (no
information is available on earlier versions):
- Tomcat 9 – versions 9.0.0.M1 through 9.0.17 (9.0.18 is not affected)
- Tomcat 8 – versions 8.5.0 to 8.5.39
- Tomcat 7 – versions 7.0.0 to 7.0.93

Users are encouraged to upgrade to the following fixed versions or later:
- Tomcat 9 – version 9.0.19
- Tomcat 8 – version 8.5.40
- Tomcat 7 – version 7.0.94

BOUNTY INFORMATION

This report satisfied the requirement of the EU FOSSA bounty program
and a bounty has been paid.

REFERENCES

Apache SSI reference: see here – mod_include -
<a rel="nofollow" href="https://httpd.apache.org/docs/current/mod/mod_include.html#page-header">https://httpd.apache.org/docs/current/mod/mod_include.html#page-header</a>
CVE-ID: CVE-2019-0221
CVSS 2.0 Score: pending
CVSS 3.0 Score: pending
Tomcat SSI documentation: see here -
<a rel="nofollow" href="https://tomcat.apache.org/tomcat-9.0-doc/ssi-howto.html">https://tomcat.apache.org/tomcat-9.0-doc/ssi-howto.html</a>
Vendor advisory: see here -
<a rel="nofollow" href="http://mail-archives.us.apache.org/mod_mbox/www-announce/201904.mbox/%3C13d878ec-5d49-c348-48d4-25a6c81b9605%40apache.org%3E">http://mail-archives.us.apache.org/mod_mbox/www-announce/201904.mbox/%3C13d878ec-5d49-c348-48d4-25a6c81b9605%40apache.org%3E</a>

CREDITS

Text of the advisory written by Y. Shafranovich.

TIMELINE

2019-02-17: Initial report submitted to the platform
2019-02-19: Initial report validated by the platform
2019-03-12: Report accepted by the vendor
2019-05-17: Public advisory issued by the vendor
2019-05-27: Public disclosure by reporter

_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="48"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#50">By Date</a>
<a href="51"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="48"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#50">By Thread</a>
<a href="51"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>XSS in SSI printenv command – Apache Tomcat – CVE-2019-0221</strong> <em>Nightwatch Cybersecurity Research (May 29)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started