cbcvebase.
CVE-2007-0774
published 2007-03-04

CVE-2007-0774: Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19…

PriorityP270high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
81.51%
99.6th percentile
Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute arbitrary code via a long URL that triggers the overflow in a URI worker map routine.

Affected

4 ranges
VendorProductVersion rangeFixed in
apachetomcat_jk_web_server_connector
apachetomcat_jk_web_server_connector
ciscowireless_control_system_tomcat_mod_jk.so
debianlibapache-mod-jk< libapache-mod-jk 1:1.2.21-1 (bookworm)libapache-mod-jk 1:1.2.21-1 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

  • Fingerprint vulnerable servers by checking HTTP Server response header for 'Apache/<version> (Win32) mod_jk/1.2.20'
  • The exploit uses bad characters that are absent from the payload; network signatures should look for long URI paths free of null bytes, tabs, newlines, spaces, #, %, &, /, ;, ?, and backslash
  • On Linux targets, watch for bind-shell connections on port 8282 following exploitation of mod_jk
  • SEH overwrite offsets for Win32 targets are 4343 (Apache 1.3.37), 4407 (Apache 2.0.59), and 4423 (Apache 2.2.3); use these to tune URI-length thresholds in detection rules
  • The vulnerable code path is map_uri_to_worker in native/common/jk_uri_worker_map.c; audit or monitor process memory of Apache workers loading mod_jk 1.2.19 or 1.2.20
  • ·The Win32 Metasploit exploit targets only mod_jk 1.2.20 on Windows; the Linux exec-shield exploit targets mod_jk 1.2.19 and 1.2.20 on Fedora Core 5 and 6 with specific return addresses — detection offsets differ per platform
  • ·Cisco WCS embeds the vulnerable mod_jk.so; patching standard Apache Tomcat may not address the Cisco WCS exposure, which requires a separate vendor fix
  • ·The Linux exploit uses a ret-into-strcpy@plt technique to bypass exec-shield; standard NX/DEP bypass detections may not apply — the exploit chains multiple pop/pop/pop/ret gadgets at hardcoded addresses specific to each Fedora Core build

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_cisco7.5HIGH
vendor_debian7.5MEDIUM
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.