Apache Axis 1.4 Server-Side Request Forgery Vulnerability (CVE-2019-0227) Exploit

A public exploit has been published detailing a Server-Side Request Forgery (SSRF) vulnerability in Apache Axis version 1.4 and earlier, tracked as CVE-2019-0227. The vulnerability can lead to remote command execution (RCE) if the enableRemoteAdmin attribute is set to true. An attacker can leverage the AdminService interface to deploy a malicious WebService and use a LogHandler to write a Webshell. The availability of a working exploit, particularly the axis_exp.py Python script, significantly increases the risk to unpatched Apache Axis installations with the enableRemoteAdmin setting enabled. This script automates the deployment of malicious services and facilitates interactive command execution on the compromised server.

Attack Chain

1. The attacker sends a POST request to /axis/services/AdminService to deploy a malicious service.
2. The deployed service creates a RandomService that triggers a RandomLog on each request.
3. The RandomLog handler is configured to write a JSP webshell (e.g., shell.jsp) to the web application’s root directory (e.g., ../webapps/ROOT/shell.jsp).
4. The attacker sends a POST request to /axis/services/RandomService to trigger the RandomLog handler and write the JSP webshell.
5. The webshell writes JSP code from the request into the shell.jsp file.
6. The attacker sends a GET request to /shell.jsp?c=command, where command is the system command to execute.
7. The server executes the command passed in the c parameter and returns the result.
8. The attacker gains arbitrary code execution on the target system.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to execute arbitrary system commands on the target server. This can lead to complete system compromise, data theft, and deployment of further malicious payloads. The exploit tool automates webshell deployment, lowering the barrier to entry for attackers. Exposed Apache Axis installations are vulnerable if the enableRemoteAdmin setting is enabled, and if exploited can result in significant data breaches.

Recommendation

• Disable the enableRemoteAdmin attribute in the Apache Axis configuration to prevent remote administration as detailed in the advisory.
• Monitor webserver logs for POST requests to /axis/services/AdminService as a potential indicator of exploit attempts (see the rule “Detect CVE-2019-0227 Exploitation Attempt via AdminService”).
• Implement access controls to restrict access to the /services/AdminService endpoint.
• Deploy the Sigma rule “Detect Webshell Creation via Axis LogHandler” to identify webshell creation attempts via the LogHandler.
• Monitor webserver logs for GET requests to JSP files in the web application’s root directory with a ‘c’ parameter for command execution as indicators of compromise.
• Upgrade to a supported and patched version of Apache Axis or migrate to another web service framework.