![]() ![]() This high severity vulnerability could allow attackers to execute arbitrary commands by abusing an operating system command injection brought about by a Tomcat CGI Servlet input validation error. On April 15, Nightwatch Cybersecurity published information on CVE-2019-0232, a remote code execution (RCE) vulnerability involving Apache Tomcat’s Common Gateway Interface (CGI) Servlet. It implements several Java EE specifications, including Java Servlet, JavaServer Pages (JSP), Java Expression Language (EL), and WebSocket, and provides a "pure Java" HTTP web server environment in which Java code can run. Private static final String methodTransArray = else if(n.equals(Constants.Apache Tomcat, colloquially known as Tomcat Server, is an open-source Java Servlet container developed by a community with the support of the Apache Software Foundation (ASF). tomcat9.0.30/java/org/apache/coyote/ajp/Constants.java // Translates integer codes to names of HTTP methods ![]() Below are the basic methods and their byte codes: OPTIONS => 1 The next field after the code is the request method. Request_headers *(req_header_name req_header_value)Īttributes *(attribut_name attribute_value) ![]() Prefix_code (byte) 0x02 = JK_AJP13_FORWARD_REQUEST The body format of such a message is as follows: AJP13_FORWARD_REQUEST := It is used to send, for instance, GET/POST messages. Too bad, such packets are processed only if they have been sent from the host where Tomcat is running. Types of packets that can be sent to Tomcat containerĪ packet with the code 0x7 (Shutdown) immediately attracts attention because it shuts the server down. Accordingly, any popular web server (Nginx, Apache, IIS, etc.) should be used as the front-end. Because this is a binary protocol, the browser cannot send requests to AJP13 directly. Modern Tomcat versions use AJP 1.3 (AJP13). The sessions are passed to the right servers by a special routing mechanism where each application server gets its own name. In other words, AJP is an optimized, more powerful, and highly scalable version of HTTP.ĪJP is normally used to balance the load when one or several external web servers (front-end) send requests to the application server(s). Reading arbitrary files on the serverĪpache JServ Protocol (AJP) is a binary protocol designed as a more efficient alternative to HTTP. All versions are available in the archive section. By the way, if you don’t like Docker, you may download a version with ready-to-use binaries from the developer’s website. In addition to the web server, I need a sniffer, for instance, Wireshark. Proxying traffic to Tomcat via Apache over AJP If the attacker manages to upload a file to the server, the vulnerability can be used to remotely execute arbitrary code. A specially crafted request to the server allows to read the content of files that are inaccessible under normal circumstances. The Apache JServ Protocol (AJP) implementation allows to control attributes that form paths to the requested files. The bug enables the attacker to read arbitrary files on the target system inside the appBase directory. The vulnerability was recognized critical even and received a name, Ghostcat, and a logo. ![]() The bug was discovered by a researcher at Chaitin Tech earlier this year. It is installed, either as an independent solution or a servlet container, in various application servers (e.g. Tomcat is a popular web server that is frequently used in the corporate environment. It is written in Java and implements such specifications as JavaServer Pages (JSP) and JavaServer Faces (JSF). Tomcat is an open-source servlet container. Most importantly, the attacker does not need any rights in the target system to exploit this vulnerability. The problem lies in the implementation of the AJP protocol used to communicate with a Tomcat server. This article addresses a vulnerability in Apache Tomcat that enables the attacker to read files on the server and, under certain conditions, execute arbitrary code. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |