CVE-2009-3548
published 2009-11-12CVE-2009-3548: The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the…
PriorityP276high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
79.00%
99.5th percentile
The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.
Affected
144 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /manager/html/upload with multipart/form-data content type, which is the upload vector for WAR-based payload delivery against the Tomcat Manager application. ↗
- →Monitor for authenticated access to the Tomcat Manager app (/manager/html) followed immediately by a WAR file upload POST and subsequent JSP execution GET request — this sequence is characteristic of this exploit. ↗
- →Alert on default or blank credentials ('admin' with blank password) being used to authenticate to the Tomcat Manager application, as CVE-2009-3548 specifically concerns a blank default ADMIN password in the Windows installer. ↗
- →Look for random alphanumeric application base names (4–32 chars) deployed and then immediately undeployed via /manager/html/undeploy — this matches the exploit's cleanup behavior. ↗
- →Detect HTTP responses matching Apache Tomcat or Coyote server banners on non-standard ports, as the exploit fingerprints the server via the Server header pattern /Apache.*(Coyote|Tomcat)/. ↗
- ·CVE-2009-3548 may overlap with CVE-2010-4094 (IBM Rational Quality Manager/Test Lab Manager default ADMIN password), so detections targeting default Tomcat Manager credentials may apply to both CVEs. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fqc2-x4j5-637f: The Tomcat server in IBM Rational Quality Manager and Rational Test Lab Manager has a default password for the ADMIN account, which makes it easier fo
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2010-4094 [HIGH] GHSA-fqc2-x4j5-637f: The Tomcat server in IBM Rational Quality Manager and Rational Test Lab Manager has a default password for the ADMIN account, which makes it easier fo
The Tomcat server in IBM Rational Quality Manager and Rational Test Lab Manager has a default password for the ADMIN account, which makes it easier for remote attackers to execute arbitrary code by leveraging access to the manager role. NOTE: this might overlap CVE-2009-3548.
GHSA
GHSA-975h-h4pp-737q: The Windows installer for Apache Tomcat 6
ghsa_unreviewed·2022-05-02
CVE-2009-3548 [HIGH] GHSA-975h-h4pp-737q: The Windows installer for Apache Tomcat 6
The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.
VMware
Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX
vendor_vmware·2011-02-10·CVSS 5.0
CVE-2008-0085 [MEDIUM] Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX
VMSA-2011-0003: Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX
Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX VMware Security Advisory VMware Security Advisory Advisory ID: VMware Security Advisory Synopsis: Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX VMware Security Advisory Issue date: VMware Security Advisory Updated on: VMware Security Advisory CVE numbers:
CVEs: CVE-2008-0085, CVE-2008-0086, CVE-2008-0106, CVE-2008-0107, CVE-2008-3825, CVE-2008-5416, CVE-2009-1384, CVE-2009-2693, CVE-2009-2901, CVE-2009-2902, CVE-2009-3548, CVE-2009-3555, CVE-2009-4308, CVE-2010-0003, CVE-2010-0007, CVE-2010-0008, CVE-2010-0082, CVE-2010-0084, CVE-2010-0085,
No detection rules found.
Exploit-DB
Apache Tomcat Manager - Application Upload (Authenticated) Code Execution (Metasploit)
exploitdb·2014-02-05
CVE-2009-3548 Apache Tomcat Manager - Application Upload (Authenticated) Code Execution (Metasploit)
Apache Tomcat Manager - Application Upload (Authenticated) Code Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 [ /Apache.*(Coyote|Tomcat)/ ] }
CSRF_VAR = 'CSRF_NONCE='
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Tomcat Manager Application Upload Authenticated Code Execution',
'Description' => %q{
This module can be used to execute a payload on Apache Tomcat servers that
have an exposed "manager" application. The payload is uploaded as a WAR archive
containing a jsp application using a POST request against the /manager/html/upload
component.
N
Exploit-DB
Apache Tomcat Manager - Application Deployer (Authenticated) Code Execution (Metasploit)
exploitdb·2010-12-14
CVE-2010-4094 Apache Tomcat Manager - Application Deployer (Authenticated) Code Execution (Metasploit)
Apache Tomcat Manager - Application Deployer (Authenticated) Code Execution (Metasploit)
---
##
# $Id: tomcat_mgr_deploy.rb 11330 2010-12-14 17:26:44Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 [ /Apache.*(Coyote|Tomcat)/ ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Tomcat Manager Application Deployer Authenticated Code Execution',
'Description' => %q{
This module can be used to execute a payload on Apache Tomcat servers that
have an
Metasploit
Apache Tomcat Manager Application Deployer Authenticated Code Execution
metasploit
Apache Tomcat Manager Application Deployer Authenticated Code Execution
Apache Tomcat Manager Application Deployer Authenticated Code Execution
This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.
Metasploit
Apache Tomcat Manager Authenticated Upload Code Execution
metasploit
Apache Tomcat Manager Authenticated Upload Code Execution
Apache Tomcat Manager Authenticated Upload Code Execution
This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.
Metasploit
Tomcat Application Manager Login Utility
metasploit
Tomcat Application Manager Login Utility
Tomcat Application Manager Login Utility
This module simply attempts to login to a Tomcat Application Manager instance using a specific user/pass.
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02241113http://marc.info/?l=bugtraq&m=127420533226623&w=2http://marc.info/?l=bugtraq&m=133469267822771&w=2http://marc.info/?l=bugtraq&m=136485229118404&w=2http://marc.info/?l=bugtraq&m=139344343412337&w=2http://markmail.org/thread/wfu4nff5chvkb6xphttp://secunia.com/advisories/40330http://secunia.com/advisories/57126http://tomcat.apache.org/security-5.htmlhttp://tomcat.apache.org/security-6.htmlhttp://www.securityfocus.com/archive/1/507720/100/0/threadedhttp://www.securityfocus.com/archive/1/516397/100/0/threadedhttp://www.securityfocus.com/bid/36954http://www.securitytracker.com/id?1023146http://www.vmware.com/security/advisories/VMSA-2011-0003.htmlhttp://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.htmlhttp://www.vupen.com/english/advisories/2009/3185http://www.vupen.com/english/advisories/2010/1559https://exchange.xforce.ibmcloud.com/vulnerabilities/54182https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/df497a37fbf98e38d4c83e44829745fe9851b5fde928409c950f80e6%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19414https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7033http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02241113http://marc.info/?l=bugtraq&m=127420533226623&w=2http://marc.info/?l=bugtraq&m=133469267822771&w=2http://marc.info/?l=bugtraq&m=136485229118404&w=2http://marc.info/?l=bugtraq&m=139344343412337&w=2http://markmail.org/thread/wfu4nff5chvkb6xphttp://secunia.com/advisories/40330http://secunia.com/advisories/57126http://tomcat.apache.org/security-5.htmlhttp://tomcat.apache.org/security-6.htmlhttp://www.securityfocus.com/archive/1/507720/100/0/threadedhttp://www.securityfocus.com/archive/1/516397/100/0/threadedhttp://www.securityfocus.com/bid/36954http://www.securitytracker.com/id?1023146http://www.vmware.com/security/advisories/VMSA-2011-0003.htmlhttp://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.htmlhttp://www.vupen.com/english/advisories/2009/3185http://www.vupen.com/english/advisories/2010/1559https://exchange.xforce.ibmcloud.com/vulnerabilities/54182https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/df497a37fbf98e38d4c83e44829745fe9851b5fde928409c950f80e6%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19414https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7033
2009-11-12
Published