Directory traversal vulnerability in Apache Tomcat 4.1.0 up to and including 4.1.37, 5.5.0 up to and including 5.5.26, and 6.0.0 up to and including 6.0.16, when allowLinking and UTF-8 are enabled, allows remote malicious users to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.
This module tests whether a directory traversal vulnerability is present in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0 - 6.0.16 under specific and non-default installations. The connector must have allowLinking set to true and URIEncoding set to UTF-8. Furthermore, the vulnerability actually occurs within Java and not Tomcat; the server must use Java versions prior to Sun 1.4.2_19, 1.5.0_17, 6u11 - or prior IBM Java 5.0 SR9, 1.4.2 SR13, SE 6 SR4 releases. This module has only been tested against RedHat 9 running Tomcat 6.0.16 and Sun JRE 1.5.0-05. You may wish to change FILE (hosts,sensitive files), MAXDIRS and RPORT depending on your environment.
msf > use auxiliary/admin/http/tomcat_utf8_traversal msf auxiliary(tomcat_utf8_traversal) > show actions ...actions... msf auxiliary(tomcat_utf8_traversal) > set ACTION <action-name> msf auxiliary(tomcat_utf8_traversal) > show options ...show and set options... msf auxiliary(tomcat_utf8_traversal) > run
This module tests whether a directory traversal vulnerablity is present in Trend Micro DLP (Data Loss Prevention) Appliance v5.5 build <= 1294. The vulnerability appears to be actually caused by the Tomcat UTF-8 bug which is implemented in module tomcat_utf8_traversal CVE 2008-2938. This module simply tests for the same bug with Trend Micro specific settings. Note that in the Trend Micro appliance, /etc/shadow is not used and therefore password hashes are stored and anonymously accessible in the passwd file.
msf > use auxiliary/admin/http/trendmicro_dlp_traversal msf auxiliary(trendmicro_dlp_traversal) > show actions ...actions... msf auxiliary(trendmicro_dlp_traversal) > set ACTION <action-name> msf auxiliary(trendmicro_dlp_traversal) > show options ...show and set options... msf auxiliary(trendmicro_dlp_traversal) > run
Offensive technologies course This repository contains descriptions of several vulnerabilities and the code that exploits them Exploitable environments can be found in /dockerfiles/victim folder Attacker environments can be found in /dockerfiles/attacker folder Everything comes as Docker images Exploited CVEs: CVE-2008-2938 (Tomcat path traversal) CVE-2014-1904 (Spring pat