A vulnerability in the popular Apache Tomcat web server is ripe for active attack, thanks to a proof-of-concept (PoC) exploit making an appearance on GitHub. The now-patched bug affects Tomcat versions 7.0, 8.5 and 9.0.
According to Flashpoint analysts Cheng Lu and Steven Ouellette, an exploit for the “Ghostcat,” security bug (tracked as CVE-2020-1938 and first publicly disclosed Feb. 20) reliably allows information disclosure via file retrieval on a vulnerable server – without authentication or a user being tricked into a compromising interaction. And, in some situations, it could allow remote code execution, they said.
“Due to the nature of the vulnerability, [the exploit] can be leveraged without any user interactions and with high reliability, with low chance of causing the vulnerable server to crash,” explained the researchers, in a posting on Friday. The duo said they’ve confirmed that the PoC works.
The Bug
The Apache Tomcat open-source web server supports various JavaScript-based technologies, including the Apache JServ Protocol (AJP) interface, which is where the vulnerability resides.
The AJP binary protocol – in essence a connector – allows the Tomcat servlet container, which is called Catalina, to communicate out to web applications to support extended functionalities for websites.
“The AJP connector handles inbound requests [from applications] and passes to Catalina,” wrote Lu and Ouellette. “Catalina then passes the request to the proper web application and receives the dynamically generated content. This content is then sent back over the network by the AJP connector as the response to the request.”
This connector is “highly trusted…and should not be exposed over an untrusted network, as it may be leveraged to gain complete access to the application server,” the researchers warned, adding that it “is expected to be exposed only internally.”
However, in a default Tomcat installation on Windows 10, Tomcat’s AJP port, on 8009, is exposed – allowing outside users to interact with and gain access to the Tomcat server itself. The PoC exploit demonstrates how this state of affairs can be used to expose files.
The PoC code, written in Python, is capable of creating and sending an AJP request to a specified IP address, with a valid file path and name that the attacker would like to receive. A vulnerable server will return the file as a stream back to the PoC code, displaying it on the attacker’s screen. Where the requested file is not a plain text file, the output stream can be saved and opened with an appropriate application.
“Through the AJP connector, an attacker can retrieve arbitrary files from Tomcat’s web root, including the files residing within the ‘WEB-INF’ and ‘META-INF’ directories through the ServletContext.getResourceAsStream() function,” according to the Flashpoint posting. “Additionally, arbitrary files within the web application on the vulnerable Tomcat server can be processed as a JSP page through the AJP connector.”
Remote Code Execution
The bug does open the door to RCE, according to the researchers. If a vulnerable Tomcat server also allows file uploads (not the default setting, by the way), an attacker could upload their own code via the AJP connector.
However, there’s a big catch. To accomplish RCE, an attacker would need to find a web application that accepts file uploads that is running on a vulnerable Tomcat server. Attackers can’t themselves simply change the server settings to allow file uploads.
“The file-upload requirement can only be implemented by the web application developer, rather than the attacker,” according to the analysis. “For this reason, only a portion of the vulnerable Tomcat servers may suffer the code-execution impact from this vulnerability.”
Further, the publicly available PoC code doesn’t support execution of files on a vulnerable server even with the prerequisites in place. “However, such capability can be implemented on the basis of the PoC code with relative ease,” the researchers warned.
Web admins should update their Apache Tomcat instances to version 8.5.51 to avoid becoming victims; or, if they don’t make use of AJP connectors, they can simply disable them. Lu and Ouelette noted. “Users can also consider exposing the connector only in the trusted network segment, rather than exposing it to the entire network, to reduce attack surface,” they added.
Otherwise, the barrier to exploitation is very low—so businesses should brace for attacks.
“Publicly available PoC and exploit code make the exploitation of this vulnerability more accessible to threat actors of all skill levels. The mass scan activities could identify internet-facing instances of Tomcat susceptible to attacks. Therefore, Flashpoint analysts assess with moderate confidence that this vulnerability may see active exploitation attempts in the coming days in a more targeted fashion.”