CVE-2007-0774
published 2007-03-04CVE-2007-0774: Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19…
PriorityP270high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
81.51%
99.6th percentile
Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute arbitrary code via a long URL that triggers the overflow in a URI worker map routine.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat_jk_web_server_connector | — | — |
| apache | tomcat_jk_web_server_connector | — | — |
| cisco | wireless_control_system_tomcat_mod_jk.so | — | — |
| debian | libapache-mod-jk | < libapache-mod-jk 1:1.2.21-1 (bookworm) | libapache-mod-jk 1:1.2.21-1 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
- →Fingerprint vulnerable servers by checking HTTP Server response header for 'Apache/<version> (Win32) mod_jk/1.2.20' ↗
- →The exploit uses bad characters that are absent from the payload; network signatures should look for long URI paths free of null bytes, tabs, newlines, spaces, #, %, &, /, ;, ?, and backslash ↗
- →On Linux targets, watch for bind-shell connections on port 8282 following exploitation of mod_jk ↗
- →SEH overwrite offsets for Win32 targets are 4343 (Apache 1.3.37), 4407 (Apache 2.0.59), and 4423 (Apache 2.2.3); use these to tune URI-length thresholds in detection rules ↗
- →The vulnerable code path is map_uri_to_worker in native/common/jk_uri_worker_map.c; audit or monitor process memory of Apache workers loading mod_jk 1.2.19 or 1.2.20 ↗
- ·The Win32 Metasploit exploit targets only mod_jk 1.2.20 on Windows; the Linux exec-shield exploit targets mod_jk 1.2.19 and 1.2.20 on Fedora Core 5 and 6 with specific return addresses — detection offsets differ per platform ↗
- ·Cisco WCS embeds the vulnerable mod_jk.so; patching standard Apache Tomcat may not address the Cisco WCS exposure, which requires a separate vendor fix ↗
- ·The Linux exploit uses a ret-into-strcpy@plt technique to bypass exec-shield; standard NX/DEP bypass detections may not apply — the exploit chains multiple pop/pop/pop/ret gadgets at hardcoded addresses specific to each Fedora Core build ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_cisco7.5HIGH
vendor_debian7.5MEDIUM
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5cwp-c46g-8v55: Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map
ghsa_unreviewed·2022-05-01
CVE-2007-0774 [HIGH] GHSA-5cwp-c46g-8v55: Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map
Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute arbitrary code via a long URL that triggers the overflow in a URI worker map routine.
OSV
CVE-2007-0774: Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map
osv·2007-03-04·CVSS 7.5
CVE-2007-0774 [HIGH] CVE-2007-0774: Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map
Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute arbitrary code via a long URL that triggers the overflow in a URI worker map routine.
Cisco
Cisco Wireless Control System Tomcat mod_jk.so Vulnerability
vendor_cisco·2008-01-30·CVSS 7.5
CVE-2007-0774 [HIGH] CWE-119 Cisco Wireless Control System Tomcat mod_jk.so Vulnerability
Cisco Wireless Control System Tomcat mod_jk.so Vulnerability
Apache Tomcat is the servlet container for JavaServlet and JavaServer
Pages Web within the Cisco Wireless Control System (WCS). A vulnerability
exists in the mod_jk.so URI handler within Apache Tomcat which, if exploited,
may result in a remote code execution attack.
This advisory is posted at
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080130-wcs.
Red Hat
security flaw
vendor_redhat·2007-02-27·CVSS 7.5
CVE-2007-0774 [HIGH] security flaw
security flaw
Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute arbitrary code via a long URL that triggers the overflow in a URI worker map routine.
Debian
CVE-2007-0774: libapache-mod-jk - Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_...
vendor_debian·2007·CVSS 7.5
CVE-2007-0774 [HIGH] CVE-2007-0774: libapache-mod-jk - Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_...
Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute arbitrary code via a long URL that triggers the overflow in a URI worker map routine.
Scope: local
bookworm: resolved (fixed in 1:1.2.21-1)
bullseye: resolved (fixed in 1:1.2.21-1)
forky: resolved (fixed in 1:1.2.21-1)
sid: resolved (fixed in 1:1.2.21-1)
trixie: resolved (fixed in 1:1.2.21-1)
Cisco
Cisco Wireless Control System Tomcat mod_jk.so Vulnerability
vendor_cisco
CVE-2007-0774 Cisco Wireless Control System Tomcat mod_jk.so Vulnerability
CVE-2007-0774: Cisco Wireless Control System Tomcat mod_jk.so Vulnerability
Apache Tomcat is the servlet container for JavaServlet and JavaServer Pages Web within the Cisco Wireless Control System (WCS). A vulnerability exists in the mod_jk.so URI handler within Apache Tomcat which, if exploited, may result in a remote code execution attack. This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080130-wcs .
CWE: CWE-119, CWE-119
Bug IDs: CSCsk18191, CSCsk18191
No detection rules found.
Exploit-DB
Apache Tomcat mod_jk 1.2.20 - Remote Buffer Overflow (Metasploit)
exploitdb·2010-07-25
CVE-2007-0774 Apache Tomcat mod_jk 1.2.20 - Remote Buffer Overflow (Metasploit)
Apache Tomcat mod_jk 1.2.20 - Remote Buffer Overflow (Metasploit)
---
##
# $Id: apache_modjk_overflow.rb 9929 2010-07-25 21:37:54Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Apache mod_jk 1.2.20 Buffer Overflow',
'Description' => %q{
This is a stack buffer overflow exploit for mod_jk 1.2.20.
Should work on any Win32 OS.
},
'Author' => 'Nicob ',
'Version' => '$Revision: 9929 $',
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2007-0774' ],
[ 'OSVDB', '33855' ],
[ 'BID', '22791' ],
[ 'URL', 'http://www.zerodayinitiative.com
Exploit-DB
Apache Tomcat Connector mod_jk - 'exec-shield' Remote Overflow
exploitdb·2007-07-08
CVE-2007-0774 Apache Tomcat Connector mod_jk - 'exec-shield' Remote Overflow
Apache Tomcat Connector mod_jk - 'exec-shield' Remote Overflow
---
/*
**
** Fedora Core 5,6 (exec-shield) based
** Apache Tomcat Connector (mod_jk) remote overflow exploit
** by Xpl017Elz
**
** Advanced exploitation in exec-shield (Fedora Core case study)
** URL: http://x82.inetcop.org/h0me/papers/FC_exploit/FC_exploit.txt
**
** Reference: https://www.securityfocus.com/bid/22791
** vendor: http://tomcat.apache.org/
**
** eliteboy's exploit (SUSE, Debian, FreeBSD):
** http://www.milw0rm.com/exploits/4093
**
** Nicob 's exploit (Win32):
** http://downloads.securityfocus.com/vulnerabilities/exploits/apache_modjk_overflow.rb
**
** --
** exploit by "you dong-hun"(Xpl017Elz), .
** My World: http://x82.inetcop.org
**
*/
#include
#include
#include
#include
#include
#include
#include
#ifdef __li
Metasploit
Apache mod_jk 1.2.20 Buffer Overflow
metasploit
Apache mod_jk 1.2.20 Buffer Overflow
Apache mod_jk 1.2.20 Buffer Overflow
This is a stack buffer overflow exploit for mod_jk 1.2.20. Should work on any Win32 OS.
Bugzilla
CVE-2007-0774 security flaw
bugzilla·2018-08-16·CVSS 7.5
CVE-2007-0774 [HIGH] CVE-2007-0774 security flaw
CVE-2007-0774 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute arbitrary code via a long URL that triggers the overflow in a URI worker map routine.
Bugzilla
CVE-2007-1217 Kernel: CAPI overflow
bugzilla·2007-11-28·CVSS 6.9
CVE-2007-1217 [MEDIUM] CVE-2007-1217 Kernel: CAPI overflow
CVE-2007-1217 Kernel: CAPI overflow
Description of problem:
Buffer overflow in the bufprint function in capiutil.c in libcapi, as used in
Linux kernel 2.6.9 to 2.6.20 and isdn4k-utils, allows local users to cause a
denial of service (crash) and possibly gain privileges via a crafted CAPI
packet.
This issue public via:
http://bugs.gentoo.org/show_bug.cgi?id=170867
The reporter (Sune Kloppenborg Jeppesen ) did not attach
a patch :o(.
Discussion:
This was addressed via:
Red Hat Enterprise Linux version 3 (RHSA-2007:0671)
Red Hat Enterprise Linux version 2.1 (RHSA-2007:0672)
Red Hat Linux Advanced Workstation 2.1 (RHSA-2007:0673)
Red Hat Enterprise Linux version 5 (RHSA-2007:0705)
Red Hat Enterprise Linux version 4 (RHSA-2007:0774)
Bugzilla
CVE-2007-0774 mod_jk overflow flaw
bugzilla·2007-04-12·CVSS 7.5
CVE-2007-0774 [HIGH] CVE-2007-0774 mod_jk overflow flaw
CVE-2007-0774 mod_jk overflow flaw
+++ This bug was initially created as a clone of Bug #230045 +++
This issue is embargoed until probably Tue 27th Feb (it may well be Wed).
Please do not release anything until you see an update publically on the
Tomcat site (tomcat.apache.org).
-- VULNERABILITY DETAILS -----------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apache Tomcat Connector. Authentication is not
required to exploit this vulnerability.
The specific flaw exists in the URI handler for the mod_jk.so library.
When parsing a long URL request, the URI worker map routine performs an
unsafe memory copy. This results in a stack overflow condition which can
be leveraged execute arbitrary code.
T
Bugzilla
CVE-2007-0774 mod_jk overflow flaw
bugzilla·2007-02-26·CVSS 7.5
CVE-2007-0774 [HIGH] CVE-2007-0774 mod_jk overflow flaw
CVE-2007-0774 mod_jk overflow flaw
This issue is embargoed until probably Tue 27th Feb (it may well be Wed).
Please do not release anything until you see an update publically on the
Tomcat site (tomcat.apache.org).
-- VULNERABILITY DETAILS -----------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apache Tomcat Connector. Authentication is not
required to exploit this vulnerability.
The specific flaw exists in the URI handler for the mod_jk.so library.
When parsing a long URL request, the URI worker map routine performs an
unsafe memory copy. This results in a stack overflow condition which can
be leveraged execute arbitrary code.
The vulnerable routine exists in native/common/jk_uri_worker_map.c:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795http://secunia.com/advisories/24398http://secunia.com/advisories/24558http://secunia.com/advisories/27037http://secunia.com/advisories/28711http://securitytracker.com/id?1017719http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.htmlhttp://tomcat.apache.org/security-jk.htmlhttp://www.cisco.com/en/US/products/products_security_advisory09186a008093f040.shtmlhttp://www.gentoo.org/security/en/glsa/glsa-200703-16.xmlhttp://www.redhat.com/support/errata/RHSA-2007-0096.htmlhttp://www.securityfocus.com/archive/1/461734/100/0/threadedhttp://www.securityfocus.com/bid/22791http://www.vupen.com/english/advisories/2007/0809http://www.vupen.com/english/advisories/2007/3386http://www.vupen.com/english/advisories/2008/0331http://www.zerodayinitiative.com/advisories/ZDI-07-008.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/32794https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5513http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795http://secunia.com/advisories/24398http://secunia.com/advisories/24558http://secunia.com/advisories/27037http://secunia.com/advisories/28711http://securitytracker.com/id?1017719http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.htmlhttp://tomcat.apache.org/security-jk.htmlhttp://www.cisco.com/en/US/products/products_security_advisory09186a008093f040.shtmlhttp://www.gentoo.org/security/en/glsa/glsa-200703-16.xmlhttp://www.redhat.com/support/errata/RHSA-2007-0096.htmlhttp://www.securityfocus.com/archive/1/461734/100/0/threadedhttp://www.securityfocus.com/bid/22791http://www.vupen.com/english/advisories/2007/0809http://www.vupen.com/english/advisories/2007/3386http://www.vupen.com/english/advisories/2008/0331http://www.zerodayinitiative.com/advisories/ZDI-07-008.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/32794https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5513
2007-03-04
Published