CVE-2019-0232 Exploitation Attempt

Aug 21, 2020 ·

Detecting the attempt of Remote Code Execution (RCE) in CGI Servlet

Sigma rule (View on GitHub)

 1title: CVE-2019-0232 Exploitation Attempt
 2id: 07ecfb70-540a-44f9-a6b0-892946d02625
 3status: experimental
 4description: Detecting the attempt of Remote Code Execution (RCE) in CGI Servlet
 5references:
 6    - https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/
 7author: Loginsoft Research Unit 
 8date: 2020/07/13
 9logsource:
10    product: Tomcat
11    category: webserver
12detection:
13    selection:
14      c-uri:
15        - '/cgi/*?*&*'
16      sc-status:
17        - 200
18        - 404
19    condition: selection
20falsepositives:
21  - Unknown
22level: critical```

References

Remote Code Execution (RCE) in CGI Servlet – Apache Tomcat on Windows – CVE-2019-0232

Summary Apache Tomcat has a vulnerability in the CGI Servlet which can be exploited to achieve remote code execution (RCE). This is only exploitable when running on Windows in a non-default configu…

Read More

CVE-2019-0232 Exploitation Attempt

Sigma rule (View on GitHub)

References

Remote Code Execution (RCE) in CGI Servlet &#8211; Apache Tomcat on Windows &#8211;&nbsp;CVE-2019-0232

Remote Code Execution (RCE) in CGI Servlet – Apache Tomcat on Windows – CVE-2019-0232