CVE-2016-8735 - Remote Code Execution via JMX Ports

[princechaddha]

Is there an existing template for this?

• I have searched the existing templates.

Template requests

Description:
Apache Tomcat versions before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 are vulnerable to remote code execution if JmxRemoteLifecycleListener is used and the JMX ports are exposed to attackers. The vulnerability exists due to inconsistent credential type handling, which was not aligned with the CVE-2016-3427 Oracle patch. Attackers with access to JMX ports can exploit this issue to execute arbitrary code remotely.

Severity: Critical

POC:

• https://medium.com/tenable-techblog/achieving-rce-on-tomcat-via-cve-2016-8735-a-proof-of-concept-13df8a9ef0e0

References:

• RedHat Advisory
• SecurityFocus
• Tomcat Security Advisories

Shodan Query:
html:"Apache Tomcat"
cpe:"cpe:2.3:a:apache:tomcat"

CPE:
cpe:2.3:a:apache:tomcat::::::::
cpe:2.3:a:apache:tomcat:9.0.0:-:::::::*

Anything else?

No response

[princechaddha]

/bounty $200

[algora-pbc]

💎 $200 bounty • ProjectDiscovery Bounty Available for CVE Template Contribution

Steps to Contribute:

• Claim attempt: Comment /attempt #10893 on this issue to claim attempt.
• Write the Template: Create a high-quality Nuclei template for the specified CVE, following our Contribution Guidelines and Acceptance Criteria.
• Submit the Template: Open a pull request (PR) to projectdiscovery/nuclei-templates and include /claim #10893 in the PR body to claim the bounty.
• Receive Payment: Upon successful merge of your PR, you will receive 100% of the bounty through Algora.io within 2-5 days. Ensure you are eligible for payouts.

Thank you for contributing to projectdiscovery/nuclei-templates and helping us democratize security!

Acceptance Criteria: The template must include a complete POC and should not rely solely on version-based detection. Contributors are required to provide debug data(-debug) along with the template to help the triage team with validation. Rewards will only be given once the template is fully validated by the team. Templates that are incomplete or invalid will not be accepted. Avoid adding code templates for CVEs that can be achieved using HTTP, TCP, or JavaScript. Such templates are blocked by default and won’t produce results, so we prioritize creating templates with other protocols unless exceptions are made.
You can check the FAQ for the Nuclei Templates Community Rewards Program here.

Add a bounty • Share on socials

Attempt	Started (GMT+0)	Solution
🔴 @aybanda	Oct 26, 2024, 7:27:03 PM	WIP
🔴 @yanisoln	Nov 9, 2024, 12:24:42 AM	WIP
🔴 @hnd3884	Nov 10, 2024, 11:06:26 AM	#11171

[aybanda]

/attempt #10893

Algora profile	Completed bounties	Tech	Active attempts	Options
@aybanda	1 bounty from 1 project			Cancel attempt

[algora-pbc]

The bounty is up for grabs! Everyone is welcome to /attempt #10893 🙌

[digital-phoenix]

@ritikchaddha is java available to use as a code engine?

[yanisoln]

/attempt #10893

Algora profile	Completed bounties	Tech	Active attempts	Options
@yanisoln	1 bounty from 1 project			Cancel attempt

[hnd3884]

/attempt #10893

Algora profile	Completed bounties	Tech	Active attempts	Options
@hnd3884	1 projectdiscovery bounty	Java, PHP, HTML & more		Cancel attempt

[algora-pbc]

Note

The user @yanisoln is already attempting to complete issue #10893 and claim the bounty. We recommend checking in on @yanisoln's progress, and potentially collaborating, before starting a new solution.

[algora-pbc]

💡 @hnd3884 submitted a pull request that claims the bounty. You can visit your bounty board to reward.

[algora-pbc]

@yanisoln: Reminder that in 4 days the bounty will become up for grabs, so please submit a pull request before then 🙏