# Hypothesis Ledger

## H1: DefaultServlet security-constraint method bypass to unauthenticated write
- Entrypoint: HTTP PUT/DELETE/POST to Apache Tomcat DefaultServlet with URL-pattern `/` security constraints.
- Attacker input: HTTP method, request path, and request body.
- Expected impact: Authentication/authorization bypass resulting in unauthenticated write or delete; possible higher impact if writable content becomes executable.
- Oracle: Vulnerable Tomcat 10.1.55 allows unauthenticated PUT while fixed Tomcat 10.1.56 blocks it.
- Commands/logs: Previous artifacts `bundle/logs/repro_run5.log`, `bundle/logs/repro_run6.log`; current exploratory JSP probes `bundle/logs/tmp_jsp_rce_probe.log`, `bundle/logs/tmp_jsp_variants_probe.log`.
- Outcome: partial
- Notes: The authz-bypass primitive was reproduced by the previous attempt, but it did not satisfy the target code-execution impact. Current follow-up tested direct `.jsp`, trailing slash, encoded slash, semicolon, and whitespace upload variants. Tomcat 10.1.55 created ordinary `.txt` and literal `shell.jsp ` files, but direct or variant `.jsp` upload did not produce executable JSP code. This path remains an authz/write issue, not the accepted RCE proof for this run.

## H2: Partial PUT FileStore session deserialization RCE (CVE-2025-24813)
- Entrypoint: Real HTTP request sequence to Apache Tomcat: `PUT /payload.session` with `Content-Range: bytes 0-5/100`, followed by `GET /index.jsp` with `Cookie: JSESSIONID=.payload`.
- Attacker input: Serialized Java object in the PUT body; request path `/payload.session`; session ID cookie `.payload`; command string embedded in the serialized object.
- Expected impact: Remote code execution through Tomcat deserializing an attacker-written FileStore session file.
- Oracle: Vulnerable Tomcat 10.1.34 creates `work/Catalina/localhost/ROOT/.payload.session`, returns a trigger error during deserialization, and creates `bundle/repro/vuln_rce_marker.txt` containing `id` output. Fixed Tomcat 10.1.35 should not create the FileStore session and should not create `bundle/repro/fixed_rce_marker.txt`.
- Commands/logs: `bundle/repro/reproduction_steps.sh`; `bundle/logs/repro_rce_run1.log`; `bundle/logs/repro_rce_run2.log`; `bundle/logs/cve2025_24813_requests.log`; `bundle/repro/runtime_manifest.json`; `bundle/repro/vuln_rce_marker.txt`.
- Outcome: confirmed
- Notes: Confirmed twice. The script explicitly enables documented preconditions: DefaultServlet `readonly=false`, partial PUT support, `PersistentManager` with default `FileStore`, and a deterministic deserialization gadget class deployed in the webapp. Vulnerable 10.1.34 executed `id` as the Tomcat process user (`uid=1000(vscode) gid=1000(vscode) groups=1000(vscode)`). Fixed 10.1.35, with the same preconditions, did not create the FileStore `.payload.session` and did not execute the command.

## H3: Published ysoserial-style CVE-2025-24813 gadget payload
- Entrypoint: Same partial PUT and `JSESSIONID=.payload` sequence as H2.
- Attacker input: Published base64 CommonsBeanutils/ysoserial gadget payload from a public PoC.
- Expected impact: Creation of `/tmp/RCE-success` by gadget execution.
- Oracle: `/tmp/RCE-success` exists after the trigger request on vulnerable Tomcat and not on fixed Tomcat.
- Commands/logs: `bundle/logs/tmp_cve2025_24813_probe.log`; `bundle/logs/tmp_cve2025_24813_curl_probe.log`.
- Outcome: partial
- Notes: The path-level vulnerability was reached: Tomcat 10.1.34 created `work/Catalina/localhost/ROOT/.payload.session` and trigger returned HTTP 500, while 10.1.35 returned 200 and did not create the work session. However, the published gadget did not create `/tmp/RCE-success` in this OpenJDK 25 environment, likely due gadget/JDK compatibility. This led to the deterministic webapp gadget used in H2.

## H4: RewriteValve normalization / WEB-INF exposure / PUT-to-RCE chain
- Entrypoint: HTTP request through Tomcat RewriteValve with crafted encoded or normalized path.
- Attacker input: Encoded path components and rewrite rule interactions.
- Expected impact: Exposure of protected WEB-INF/META-INF resources or a write-to-execution chain.
- Oracle: HTTP 200 disclosure of protected resource, creation of executable resource, or command marker.
- Commands/logs: Not executed in final budget after H2 confirmed full code execution.
- Outcome: blocked
- Notes: Lower priority once H2 produced a full RCE finding with fixed-version negative control.

## H5: WebDAV unauthenticated body handling and side effects
- Entrypoint: WebDAV servlet requests such as PROPFIND/PROPPATCH/PUT/LOCK.
- Attacker input: WebDAV method, XML request body, and target path.
- Expected impact: DoS, unintended file side effects, or write primitive.
- Oracle: Server error/crash, unexpected filesystem changes, or authorization bypass.
- Commands/logs: Not executed in final budget after H2 confirmed full code execution.
- Outcome: blocked
- Notes: Requires explicitly enabling WebDAV. Deferred because H2 satisfied the highest-impact target.

## H6: AJP connector authentication/secret edge cases
- Entrypoint: AJP protocol packets to a Tomcat AJP connector.
- Attacker input: AJP attributes, forwarded request metadata, and secret handling.
- Expected impact: Auth bypass or protected resource access.
- Oracle: Successful protected resource retrieval or privilege transition over AJP without valid authorization.
- Commands/logs: Not executed in final budget after H2 confirmed full code execution.
- Outcome: blocked
- Notes: Modern Tomcat disables or protects AJP by default; lower priority than confirmed HTTP RCE.

## H7: Cluster EncryptInterceptor replay/padding/bypass behavior
- Entrypoint: Tomcat cluster channel messages.
- Attacker input: Crafted or replayed cluster messages.
- Expected impact: Cluster message forgery, deserialization, or availability impact.
- Oracle: Accepted forged message, state mutation, or controlled exception/crash.
- Commands/logs: Not executed in final budget after H2 confirmed full code execution.
- Outcome: blocked
- Notes: Requires multi-node cluster setup and shared configuration. Deferred because H2 produced a concrete code-execution proof.

## Next best lead
- If additional coverage is required after fixing CVE-2025-24813, the next best lead is the RewriteValve normalization surface because it may combine path-confusion with protected-resource exposure or write routing. However, the current run already confirms a full remote HTTP-to-code-execution exploit chain on a real Tomcat runtime path.
