As mentioned, this is not a recommended or common configuration. Lastly, after these two prerequisites are met, a potential attacker would have to be able to reach the Tomcat AJP Connector (default port 8009) directly from the internet through the reverse-proxy, which is an externally exposed AJP. In addition, from a developer perspective, it makes little sense for a file upload feature to upload files inside the root folder since most of the Apache Tomcat applications are deployed as a. This prerequisite by itself is unlikely or difficult to orchestrate for two reasons: 1) It is uncommon in Java applications to save files in its application root folder and 2) the application root folder is transitory, so this folder is completely overwritten whenever a new version of the application is deployed. Once an attacker has compromised the application and was able to upload the malicious file, the files would need to be saved inside the application root folder. These files are saved inside the document root. The need to interpret the file as JSP would only arise in cases where the upload vulnerability restricts certain file extensions such as JPG or TXT. If this is the case, it would be more convenient for a potential attacker to use the web application itself with a file upload vulnerability to upload a malicious web shell file. This first prerequisite means that an application with a file upload feature should already be installed in the system for the RCE to be possible. João Matos, a well-known security researcher from Brazil, identified the prerequisites needed for Ghostcat to become an RCE The web application needs to allow file upload and storage of these uploaded files within the web application itself and combined with the ability to process a file as a JSP This is important to point out, as it’s one of the prerequisites for the RCE scenario. The bottom line is that AJP is not, by nature, exposed externally. AJP is implemented as a module in the Apache HTTP Server, represented as mod_jk or mod_proxy_ajp. In simple terms, this means that the HTTP Connector is exposed to clients, while the AJP is used internally between the webserver (e.g., Apache HTTPD) and the Apache Tomcat server (illustrated in Figure 1). It is mainly used in a cluster or reverse proxy scenario where web servers communicate with application servers or servlet containers. The AJP is a binary protocol used by the Apache Tomcat webserver to communicate with the servlet container that sits behind the webserver using TCP connections. Lets first talk about AJP (Apache Jserv Protocol) The AJP Protocol In addition, if the website application allows users upload file, an attacker can first upload a file containing malicious JSP script code to the server (the uploaded file itself can be any type of file, such as pictures, plain text files etc.), and then include the uploaded file by exploiting the Ghostcat vulnerability, which finally can result in remote code execution This vulnerability affects all versions of Tomcat in the default configuration (when we found this vulnerability, it was confirmed that it affected all versions of Tomcat 9/8/7/6, and older versions that were too old were not verified), which means that it has been dormant in Tomcat for more than a decade.īy exploiting the Ghostcat vulnerability, an attacker can read the contents of configuration files and source code files of all webapps deployed on Tomcat. This blog entry seeks to put the most feared Ghostcat-related scenario into perspective by delving into the unlikely circumstances that would make it possible to allow an RCE through the vulnerability. Today we are talking about recently came vulnerability discovered by Chaitin Tech security researchers in Feb 2020 it was named ghostcat by the researchersĪpache Tomcat is a popular open-source Java servlet container, so the discovery of Ghostcat understandably set off some alarms. And Using It to Compromise a Tomcat Machine on Tryhackme
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |